[squid-users] SSL Peek-n-Splice and exclusions by SNI

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 9 05:06:53 UTC 2015

On 9/03/2015 5:52 p.m., Nathan Hoad wrote:
> Hi folks,
> I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's
> actually possible to exclude requests based on the SNI host and have
> Squid still bump correcty.

It is supposed to work, but there have been troubles. So YMMV.

> I've been trying with this configuration,
> using a simple external acl:
> https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem
> key=/path/to/inspectkey.pem generate-host-certificates=on
> external_acl_type sni ttl=30 concurrency=60 children-max=3
> children-startup=1 %ssl::>sni /usr/libexec/bumphelper
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl sslbump_exclusions external sni
> ssl_bump peek step1 all
> ssl_bump splice step2 sslbump_exclusions

> So what am I missing? It's very hard to find documentation about this,
> so I might put this up on the wiki as an example once it's sorted.

The big issue here is ssl_bump being a fast-type access check. external
ACL helpers do not work reliably.


More information about the squid-users mailing list