[squid-users] About SSL peek-n-splice/bump configurations
vh1988 at yahoo.com.ar
Fri Sep 14 00:13:40 UTC 2018
> > Example:
> > ssl_bump splice noBumpSites # this will be totally ignored by Squid if a
> stare rule precedes this.
> No, this is incorrect. There are many cases were a previous stare rule will not
> have the effect you state it will. For example:
> # Squid may splice at step2 despite the preceding stare rule
> # because staring at step1 does not preclude splicing.
> ssl_bump stare step1
> ssl_bump splice noBumpSites
Well yes, I think You are right; but my example (or what I wanted to mean) was: -Maybe You have post that to give an example about how that rule could probably, not match, I don't know-
ssl_bump stare noBumpSites (at this line your example said: ssl_bump stare step1)
ssl_bump splice noBumpSites
...And here appears a "key-question":
ssl_bump stare noBumpSites # This is the first line of SslBumps ruleset.
So, when squid reaches this first rule and line (there is no explicit step) ...does Squid make a "bucle of steps" only along the first line and go to next line only when the rule stop being applicable/matchable?
If the answer of my question is: "Yes" then the second line has not any effect because, I guess that squid will do a bump in more-or-less this way:
ssl_bump stare noBumpSites
... is the same as:
ssl_bump stare step1 noBumpSites
ssl_bump stare step2 noBumpSites # Here is where he second line stops making sense
ssl_bump bump step3 noBumpSites # Finally bump due to the previous step
ssl_bump splice noBumpSites # will never matchs.
Going a bit to the past, Amos explained the following when I asked:
>> ...So that means that squid processes the SslBump directives:
>> 1: maybe more than one time in a single request...?
>Yes. Up to 3 times. A peek or splice action causes another check later.
Well, Amos never mentioned a "stare" action here, so I dont know I a "stare" applies to this too.
And even worse, maybe I did not understand him correctly.
> # Squid will splice at step1 despite the preceding stare rule
> # because the preceding stare rule never matches
> ssl_bump stare !all
> ssl_bump splice all
And this example is more obvious than the first one. It is like that previous line would not exists.
> > Does not the splice at step1 and step2 action avoid this? I mean if
> > squid act as a -TCP forward proxy only- for noBumpSites. "Don't touch
> > TLS bytes"
> I am not sure what you mean by "this" exactly, but splicing (at any
> step) does not guarantee the lack of errors.
Ok, but is Squid the culprit of those error? He is being a passive observer of that TLS traffic.
Here, I am talking about the idea of (explicitly) splice at step1 and then at step2 of a white list of sites.
Question based on words below:
>>>* If successful, ssl_bump peek and splice actions do not alter TLS
>>>bytes. Peeking and/or splicing Squid can be viewed as a TCP proxy as far
>>>as TLS bytes forwarding is concerned. The client and the origin server
>>>will see the same TLS bytes they would have seen if Squid was not there.
>>>* In this scope, various errors are usually equivalent to applying the
>The earlier you tell Squid to
> splice the connections, the fewer checks Squid will do, decreasing the
> probability of an error.
That is the idea with the noBumpSites ACL, the least amount of errors possible.
Lets say: "Let's remove as much responsibility as possible to Squid about what happens with really/special sensitive sites, If something goes wrong"
Talking with Squid/In other words: "Squid, do a *full* bump to msn.com and youtube.com too; but please *never do not nothing neither touch nothing* with bankaust.com.au
(Some like that)
> Errors lead to bumping the client connection (to
> deliver the error message).
What do You mean about those errors?
More information about the squid-users