[squid-users] SSL Peek-n-Splice and exclusions by SNI
Amos Jeffries
squid3 at treenet.co.nz
Mon Mar 9 05:06:53 UTC 2015
On 9/03/2015 5:52 p.m., Nathan Hoad wrote:
> Hi folks,
>
> I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's
> actually possible to exclude requests based on the SNI host and have
> Squid still bump correcty.
It is supposed to work, but there have been troubles. So YMMV.
> I've been trying with this configuration,
> using a simple external acl:
>
> https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem
> key=/path/to/inspectkey.pem generate-host-certificates=on
> external_acl_type sni ttl=30 concurrency=60 children-max=3
> children-startup=1 %ssl::>sni /usr/libexec/bumphelper
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> acl sslbump_exclusions external sni
>
> ssl_bump peek step1 all
> ssl_bump splice step2 sslbump_exclusions
<snip>
>
> So what am I missing? It's very hard to find documentation about this,
> so I might put this up on the wiki as an example once it's sorted.
The big issue here is ssl_bump being a fast-type access check. external
ACL helpers do not work reliably.
Amos
More information about the squid-users
mailing list