[squid-users] peek-and-splice on Centos7 and squid4
Alex Rousskov
rousskov at measurement-factory.com
Tue Oct 11 17:36:09 UTC 2016
On 10/11/2016 11:09 AM, - - wrote:
> currently I try to configure peek-and-splice on Centos7 and squid4. I have a
> running config for Centos6.6 and squid 3.5.18.
It might be useful to confirm that v4.0 does not work on Centos6.6
either (so that there is only one variable -- the Squid version).
> No matter what I try i can't get squid4 to splice certain sites and to
> bump/terminate the rest. My config is as follows:
>
> acl sni_exclusions ssl::server_name .google.com
> acl sni_exclusions ssl::server_name .google.de
>
> acl tcp_level at_step SslBump1
> acl client_hello_peeked at_step SslBump2
> ssl_bump peek tcp_level all
> ssl_bump splice client_hello_peeked sni_exclusions
> ssl_bump bump all
>
> if I replace the ssl_bump bump all with ssl_bump terminate all, all sites are
> terminated, if I do a ssl_bump splice all, all https traffic is going through.
Which implies that your splice rule never matches or the match is
ignored for some reason.
> if I accept
> the self generated certificate access the webpage is allowed. If i do the same
> with a site not allowed i'll get redirected to the deny_info page after
> accepting the certificate.
This is consistent with the above theory. The logs you have posted do
not contain ACL evaluation and post-evaluation details so it is
difficult to say why splice does not work. Please post more related
lines from an ALL,9 log. For example, something like the following might
work:
$ egrep -200 -i 'acl|google|-----|bump|sni' cache.log
Compress the results if needed.
Alex.
More information about the squid-users
mailing list