[squid-users] About SSL peek-n-splice/bump configurations

Alex Rousskov rousskov at measurement-factory.com
Fri Sep 21 21:19:55 UTC 2018 

On 09/21/2018 09:08 AM, Julian Perconti wrote:

> ssl_bump peek step1
> ssl_bump splice noBumpSites
> ssl_bump stare step2


> # Second rule:
> ssl_bump splice noBumpSites 
> 
> I think that this rule should implicity match only at step2.

I do not know what "implicitly match" means here, but yes, the splice
rule may only match at step2 in this configuration:

* It cannot match at step1 because the earlier "peek" rule matches at step1.

* It is always reached during step2 because no rules above it can match
during step2. Whether it matches during step2 depends on whether
noBumpSites matches a particular transaction during step2.

* It cannot match at step3 because for a splice rule to match at step3 a
peek rule has to match at step2, and there is no peek rule that can
match at step2 in your configuration.


> However as I said above if the splice is the first rule instead the
> peek, the squid´s behaviour changes.

Naturally. If you place the splice rule first, it may match during step1
as well. If you do not, it cannot.


>> After a splice rule is applied, SslBump is over. No  more rules are 
>> checked. No more loops are iterated. Squid simply "exits" the  SslBump 
>> feature (and becomes a TCP tunnel).

> Here, probably (not sure) Alex rerefered here to "splice all" rule.

I think you are ignoring or misinterpreting the verb "applied". Here,
"applied" means Squid has executed the rule action. Not just considered
the rule containing that action, but actually ran that action. Applying
a rule action implies that the rule ACLs (whatever they were) matched,
of course. A rule action is never applied when the rule ACLs do not match.


> In that case is clear "splice is a final action" then no more future checks.

The notion of a "final" action does not depend on rule ACLs. After Squid
applies the "splice" action (in whatever context, for whatever reason),
SslBump processing for that transaction is over. Same for "bump" and
"terminate" actions.


> But in my config next to splice there is an ACL. That is why I asked: "But, doesn't the ACL matters?" in earlier mail.

ACLs (and other things) determine which rules match. After a rule
matches, then Squid applies its action, and then the notion of a "final
action" starts to matter.


> Will Squid ignore the last rule?

No. The last rule will be applied at step2 whenever noBumpSites
mismatches at step2.


HTH,

Alex.

More information about the squid-users mailing list