[squid-users] Working peek/splice no longer functioning on some sites
James Lay
jlay at slave-tothe-box.net
Fri Dec 1 18:05:14 UTC 2017
On 2017-11-29 07:29, Amos Jeffries wrote:
> On 28/11/17 03:50, James Lay wrote:
>> On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote:
>>> Perhaps an alternative is to peek only on step1:
>>>
>>> acl step1 at_step SslBump1
>>>
>>> ssl_bump peek step1
>>> acl allowed_https_sites ssl::server_name_regex
>>> "/opt/etc/squid/http_url.txt"
>>> ssl_bump splice allowed_https_sites
>>> ssl_bump terminate all
>>
>> Hrmm...wouldn't that negate the ability to read the cert on step2?
>>
>
> Yes it would.
>
>> In layman's terms I'm thinking:
>> "peek at step1"
>> "splice acl allow matched sni's"
>> "peek at step2"
>> "splice acl allow'd matched certs"
>> "terminate the rest"
>>
>> Would that work Amos?
>>
>
> This is essentially what I suggested at the beginning.
>
> Placing splice action and your ACLs on the first ssl_bump line ensures
> that at each step if enough details are known to splice it will
> happen.
>
> The second line being "peek all" make peek happen at every step for
> which it is possible (step 1 and step 2 - not step 3).
>
> "terminate all" being last makes it happen for "all the rest", aka
> step 3 if Squid gets that far without splicing.
>
>
> The only difference is that my suggested way would also allow splicing
> the CONNECT if it happens to be presented with a host name in the
> authority-URI. Which cannot happen on your proxy unless your port 3128
> happens to be intercepting traffic between clients and another proxy.
Ah...ok so this is my lack of understanding then of peek/splice. Sounds
like this is what I can try:
ssl_bump splice all
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all
Is that what you're meaning Amos? Thanks again.
James
>
>
> BTW please do not use port 3128 for intercept. It is officially
> registered for HTTP proxy traffic and so qualifies as "well known".
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list