[squid-users] Working peek/splice no longer functioning on some sites

[Amos Jeffries]

On 02/12/17 07:05, James Lay wrote:
> On 2017-11-29 07:29, Amos Jeffries wrote:
>> On 28/11/17 03:50, James Lay wrote:
>>> On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote:
>>>> Perhaps an alternative is to peek only on step1:
>>>>
>>>> acl step1 at_step SslBump1
>>>>
>>>> ssl_bump peek step1
>>>> acl allowed_https_sites ssl::server_name_regex 
>>>> "/opt/etc/squid/http_url.txt"
>>>> ssl_bump splice allowed_https_sites
>>>> ssl_bump terminate all
>>>
>>> Hrmm...wouldn't that negate the ability to read the cert on step2?
>>>
>>
>> Yes it would.
>>
>>> In layman's terms I'm thinking:
>>> "peek at step1"
>>> "splice acl allow matched sni's"
>>> "peek at step2"
>>> "splice acl allow'd matched certs"
>>> "terminate the rest"
>>>
>>> Would that work Amos?
>>>
>>
>> This is essentially what I suggested at the beginning.
>>
>> Placing splice action and your ACLs on the first ssl_bump line ensures
>> that at each step if enough details are known to splice it will
>> happen.
>>
>> The second line being "peek all" make peek happen at every step for
>> which it is possible (step 1 and step 2 - not step 3).
>>
>> "terminate all" being last makes it happen for "all the rest", aka
>> step 3 if Squid gets that far without splicing.
>>
>>
>> The only difference is that my suggested way would also allow splicing
>> the CONNECT if it happens to be presented with a host name in the
>> authority-URI. Which cannot happen on your proxy unless your port 3128
>> happens to be intercepting traffic between clients and another proxy.
> 
> Ah...ok so this is my lack of understanding then of peek/splice.  Sounds 
> like this is what I can try:
> 
> ssl_bump splice all

ITYM 'peek all' there.

> acl allowed_https_sites ssl::server_name_regex 
> "/opt/etc/squid/http_url.txt"
> ssl_bump splice allowed_https_sites
> ssl_bump terminate all
> 
> Is that what you're meaning Amos?  Thanks again.
> 
> James
> 

Amos