[squid-users] Working peek/splice no longer functioning on some sites
Amos Jeffries
squid3 at treenet.co.nz
Wed Nov 29 14:29:26 UTC 2017
On 28/11/17 03:50, James Lay wrote:
> On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote:
>> Perhaps an alternative is to peek only on step1:
>>
>> acl step1 at_step SslBump1
>>
>> ssl_bump peek step1
>> acl allowed_https_sites ssl::server_name_regex
>> "/opt/etc/squid/http_url.txt"
>> ssl_bump splice allowed_https_sites
>> ssl_bump terminate all
>
> Hrmm...wouldn't that negate the ability to read the cert on step2?
>
Yes it would.
> In layman's terms I'm thinking:
> "peek at step1"
> "splice acl allow matched sni's"
> "peek at step2"
> "splice acl allow'd matched certs"
> "terminate the rest"
>
> Would that work Amos?
>
This is essentially what I suggested at the beginning.
Placing splice action and your ACLs on the first ssl_bump line ensures
that at each step if enough details are known to splice it will happen.
The second line being "peek all" make peek happen at every step for
which it is possible (step 1 and step 2 - not step 3).
"terminate all" being last makes it happen for "all the rest", aka step
3 if Squid gets that far without splicing.
The only difference is that my suggested way would also allow splicing
the CONNECT if it happens to be presented with a host name in the
authority-URI. Which cannot happen on your proxy unless your port 3128
happens to be intercepting traffic between clients and another proxy.
BTW please do not use port 3128 for intercept. It is officially
registered for HTTP proxy traffic and so qualifies as "well known".
Amos
More information about the squid-users
mailing list