[squid-dev] [PATCH] Second adaptation missing for CONNECTs
Amos Jeffries
squid3 at treenet.co.nz
Mon May 8 06:49:02 UTC 2017
On 08/05/17 13:18, Alex Rousskov wrote:
> On 03/31/2017 07:21 AM, Christos Tsantilas wrote:
>> Avoid sending second CONNECT request to adaptation
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> The users may not want to send the second request to the adaptation
>> services. In this case they can use acls as follows:
>>
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl markSpliced annotate_client spliced=true
>>
>> ssl_bump peek step1
>> ssl_bump splice step2 markSpliced
>>
>> acl markedSpliced note spliced true
>>
>> adaptation_access class_reqmodifing deny markSpliced
>> adaptation_access class_reqmodifing allow all
>
> For the record, there is also an alternative way to avoid step2
> adaptation (without using any annotations):
>
> adaptation_access request-modifier deny step2
> adaptation_access request-modifier allow all
>
> Christos has verified that both approaches work so admins can pick the
> one _they_ prefer (which may depend on, for example, whether they are
> already using annotations for something else).
So the documentation of at_step is now wrong:
"Never matches and should not be used outside of /ssl_bump/."
Amos
More information about the squid-dev
mailing list