Without authentication, bump-server-first CONNECT requests allow uncontrolled
SSL handhsakes with origin servers, which is not desirable if the proxy operatordoes not want to allow users to access external resources anonymously.
Authenticating CONNECT requests is troublesome because when CONNECT
authentication fails, the proxy has difficulties communicating details of the
error to the browser, due to security vulnerabilities discussed at
https://bugzilla.mozilla.org/show_bug.cgi?id=479880
This patch implements the following logic to allow for seamless authentication
of CONNECT requests in a bump-server-first setup:
- Process http_access. Authenticate CONNECT request if needed, which may
require several HTTP CONNECT exchanges. This should be already supported.
- If access is allowed, use Connect-To-Server-First (for bumped connections) or normal TCP tunneling (for regular connections). This should be already supported.
- If access is denied, check ssl_bump and delay the error (for bumped
connections) or serve the error immediately (for regular connections).
This needs work.
"Delaying the error" in this context means remembering the error, responding
with 200 Established, establishing a bumped secure connection with the client,
not connecting to the origin server at all, and serving the error to the client
when the first encapsulated request comes.
projects / thirdparty / squid.git / commit
