[squid-users] Correctly implementing peak-splice

Dan Charlesworth dan at getbusi.com
Sun Nov 2 02:29:17 UTC 2014


And now I’m going to bump this thread because I too would like to hear from anyone that has an example of Peek/splice functioning in 3.5 beta. 

> On 30 Oct 2014, at 11:06 pm, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> Hello all,
> 
> Here is my complete config for trying out peek/splice.  This currently
> does not work..is there something obvious that I'm mission?  Current
> error is:
> 
> Oct 30 06:03:14 gateway squid: 192.168.1.110 - - [30/Oct/2014:06:03:14
> -0600] "GET https://www.google.com/ HTTP/1.1" 503 3854
> TAG_NONE:HIER_NONE
> 
> and on the page I get a 71 protocol error and a SSL3_WRITE_PENDING:bad
> write retry.
> 
> Thank you.
> 
> James
> 
> acl localnet src 192.168.1.0/24
> 
> acl SSL_ports port 443
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> 
> acl CONNECT method CONNECT
> acl allowed_sites url_regex "/opt/etc/squid/url.txt"
> acl all_others dst all
> acl SSL method CONNECT
> 
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> http_access allow manager localhost
> http_access deny manager
> 
> http_access allow allowed_sites
> http_access deny all_others 
> http_access allow localnet
> http_access allow localhost
> 
> http_access deny all
> icp_access deny all
> 
> sslproxy_cert_error allow all
> 
> sslproxy_options ALL
> sslproxy_flags DONT_VERIFY_PEER
> 
> ssl_bump peek all
> 
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/etc/squid/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
> 
> http_port 192.168.1.253:3128 intercept
> 
> https_port 192.168.1.253:3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key
> options=ALL sslflags=NO_SESSION_REUSE
> 
> always_direct allow all
> 
> 
> access_log syslog:daemon.info common
> 
> refresh_pattern ^ftp:		1440	20%	10080
> refresh_pattern ^gopher:	1440	0%	1440
> refresh_pattern -i (cgi-bin|\?)	0	0%	0
> refresh_pattern .		0	20%	4320
> 
> icp_port 3130
> 
> coredump_dir /opt/var
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list