[squid-users] Working peek/splice no longer functioning on some sites
Amos Jeffries
squid3 at treenet.co.nz
Sat Nov 25 12:33:36 UTC 2017
On 26/11/17 00:52, James Lay wrote:
> On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:
>> On 25/11/17 08:30, James Lay wrote:
>>> Topic says it...this setup has been working well for a long time, but
>>> now there are some sites that are failing the TLS handshake. Here's
>>> my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl
>>> Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT
>>> acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
>>> http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports
>>> http_access allow SSL_ports http_access allow allowed_http_sites
>>> http_access deny all ssl_bump peek all acl allowed_https_sites
>>> ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice
>>> allowed_https_sites ssl_bump terminate all
>>
>>
>>
>> Because you have "peek all" being performed the transaction MUST pass
>> your regex patterns with both TLS SNI from the client *and* the server
>> certificate SubjectName values. Either one not matching will perform
>> that "terminate all" on the TLS handshake.
>>
>
> Thanks Amos...do you have a suggestion for changing this to match one or
> the other instead of both?
Doing the splice check before the peek should do that. First one of the
server_names data sources to match will then splice and non-matches fall
through to either peek or terminate if no more peeking possible.
Amos
More information about the squid-users
mailing list