[squid-users] transparent http and https filter with white-list only

Alex Rousskov rousskov at measurement-factory.com
Wed Feb 1 20:33:10 UTC 2017

On 02/01/2017 07:46 AM, Amos Jeffries wrote:
> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump splice https_allow
>> ssl_bump terminate all

>  All other traffic will be terminated ... maybe with an HTTP error page.

Bugs not withstanding, the terminate action should close the client TCP
connection without serving the error page.

> The ssl::server_name ACL will not work outside of the ssl_bump directive.

Each SslBump step gives the ACL more [reliable] information, but the ACL
is not confined to the ssl_bump rules. Using this ACL before (or without
any) ssl_bump steps is almost pointless because it can probably only
match "none", but using it during or after those steps is fine, even
outside the ssl_bump directive context. This clarification is based on
my interpretation of v5 code.

This aspect may not be relevant to your squid.conf, but I wanted to
clarify it in case somebody uses this email thread for other purposes.



More information about the squid-users mailing list