[squid-users] Do peek and stare function exact same at step 1? Also does dstdom_regex work in ssl_bump?

Alex Rousskov rousskov at measurement-factory.com
Mon Jun 19 17:41:53 UTC 2017


On 06/19/2017 06:16 AM, Amish wrote:

> I was referring to:
> http://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions
> 
> Based on explanation I wonder if peek and stare are exactly same at step 1?

Both look at the same Client Hello bytes but have at least one different
side effect:

* If you use "peek" during step 1 and Squid cannot decide what you want
to do during step 2, then Squid should splice.

* If you use "stare" during step 1 and Squid cannot decide what you want
to do during step 2, then Squid should bump.

IIRC, there were implementation bugs in the above algorithm but they may
have been fixed since then. As a rule of thumb, always tell Squid what
to do by making sure that at least one applicable ssl_bump rule matches,
regardless of the step.



> If yes, which one should I use at step 1? peek or stare?

* If you intend to splice, use peek.
* If you intend to bump, use stare.
* If you are not yet sure, it is a gray area. Use whatever you think is
best.


> My 2nd question is:
> 
> In the above link it is mentioned under "Configuration Examples" that:
> "At no point during ssl_bump processing will dstdomain ACL work. That
> ACL relies on HTTP message details that are not yet decrypted"

Hm.. AFAICT, that comment is misleading: dstdomain (and dstdomain_regex)
"work" as expected in some SslBump cases, sometimes even during step1.
However, you should use server_name if possible instead because
server_name should work as expected in all SslBump cases. And the latest
Squids (v5 r15189) can be used to fine-tune server_name behavior to
match based on SNI, server certificate, and other critically important
cases.


HTH,

Alex.


More information about the squid-users mailing list