[squid-users] Explanation needed for "at_step"-ACL in ssl_bump
Alex Rousskov
rousskov at measurement-factory.com
Mon Feb 1 18:57:15 UTC 2016
On 02/01/2016 09:55 AM, Tom Tom wrote:
> I'm still confused about the correct apply of the "at_step"-rules.
> Does an action (ex. bump, peek, stare...) without providing a
> step-argument implicit means step1, step2 AND step3?
There is no "step argument".
The following may help you understand what is going on:
0. There is nothing really special or magical about "step" ACLs or the
"all" ACL. They have no side effects. The ACLs themselves do not enable
or trigger something. When Squid evaluates ACLs for a given rule, Squid
treats all ACLs the same.
1. All ssl_bump rules are considered at each of three bumping steps.
2. Rules with actions that are impossible at the current step are ignored.
3. The action of the first matching ssl_bump rule is applied at the end
of the current step. When considering a single ssl_bump rule, Squid
simply evaluates all ACLs attached to that rule, one-by-one, according
to regular ACL matching rules.
4. If no rules match at a given step, then the bump action is used if
you have been staring and the splice action is used otherwise. I am not
100% sure this is an accurate summary of the default behavior, and you
should avoid relying on such defaults if possible.
> Why does in my example the terminate-action triggers, although I
> didn't defined a step?
You do not define steps. Squid goes through three hard-coded steps. At
each step, Squid applies a single ssl_bump action you have configured.
This "stepping" ends when the final action is applied during a step (see
above for the algorithm).
An ACL is nothing but a [named] condition: "If foo, then declare a
match". An ACL itself does not enable any Squid action (there are some
ugly exceptions related to authentication but those are outside SslBump
scope).
Your terminate rule triggers at step N because:
i. Some non-final SslBump rule matched at all step(s) prior to N.
ii. Each rule above "terminate" was either not applicable at step N or
its ACL(s) did not match at step N.
iii. The terminate rule ACL(s) matched at step N.
Amos has described specific conditions that could result in the
terminate action.
HTH,
Alex.
More information about the squid-users
mailing list