[squid-users] Correctly implementing peak-splice
James Lay
jlay at slave-tothe-box.net
Thu Oct 30 12:06:06 UTC 2014
Hello all,
Here is my complete config for trying out peek/splice. This currently
does not work..is there something obvious that I'm mission? Current
error is:
Oct 30 06:03:14 gateway squid: 192.168.1.110 - - [30/Oct/2014:06:03:14
-0600] "GET https://www.google.com/ HTTP/1.1" 503 3854
TAG_NONE:HIER_NONE
and on the page I get a 71 protocol error and a SSL3_WRITE_PENDING:bad
write retry.
Thank you.
James
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl allowed_sites url_regex "/opt/etc/squid/url.txt"
acl all_others dst all
acl SSL method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow allowed_sites
http_access deny all_others
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access deny all
sslproxy_cert_error allow all
sslproxy_options ALL
sslproxy_flags DONT_VERIFY_PEER
ssl_bump peek all
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/etc/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
http_port 192.168.1.253:3128 intercept
https_port 192.168.1.253:3129 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key
options=ALL sslflags=NO_SESSION_REUSE
always_direct allow all
access_log syslog:daemon.info common
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /opt/var
More information about the squid-users
mailing list