[squid-users] Squid 3.5.10 SSL Bump whitelist domains

Alex Rousskov rousskov at measurement-factory.com
Wed Oct 21 22:49:49 UTC 2015

On 10/21/2015 02:49 PM, Yuri Voinov wrote:

> Working config snippet for 3.5.x looks like this:
> ssl_bump peek get_sni_at_step1
> ssl_bump splice spliced_hosts
> ssl_bump bump net_bump

The above config leaves the following question unanswered:

Q: What happens if neither spliced_hosts nor net_bump match at bumping
step #2?

Leaving questions unanswered is a bad idea for ssl_bump rules because
defaults are complex (and used to be broken). To answer that question
(instead of forcing Squid to guess the answer), add a forth catch-all
rule. For example, this is how the latest Squids would guess:

  ssl_bump peek step1
  ssl_bump splice spliced_hosts
  ssl_bump bump net_bump
  ssl_bump splice all

If spliced_hosts ACL negation works reliably, then the above is
equivalent to:

  ssl_bump peek step1
  ssl_bump bump !spliced_hosts net_bump
  ssl_bump splice all

but I recommend avoiding ACL negation in the actual rules.

Finally, please make sure your http_access rules correctly handle
CONNECT requests (real for forwarded connections and fake ones for
intercepted connections). This may be difficult to do right now due to
bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340


P.S. I renamed get_sni_at_step1 to step1 in the above examples because
that ACL itself does not know anything about SNI and does not force
Squid to get SNI.

More information about the squid-users mailing list