[squid-users] About SSL peek-n-splice/bump configurations

Julian Perconti vh1988 at yahoo.com.ar
Sat Sep 22 16:40:33 UTC 2018

> > # Second rule:
> > ssl_bump splice noBumpSites
> >
> > I think that this rule should implicity match only at step2.
> I do not know what "implicitly match" means here, but yes, the splice rule
> may only match at step2 in this configuration:

When I say "implicit" I want to mean that there is no any step specified in the rule.

> * It cannot match at step1 because the earlier "peek" rule matches at step1.

Yes, rule #1 "matches all" therefore the domains into "noBumpSites" ACL are also peeked. And, that first rule will always match.
> * It is always reached during step2 because no rules above it can match
> during step2.

Yes, first rule has an explicit peek at step1, hence it is impossible any kind of match at step2 before the 2nd rule or in the first rule.

>Whether it matches during step2 depends on whether
> noBumpSites matches a particular transaction during step2.

If I understood You correctly, I think that here you are pointing to an earlier message where You explained some reasons why the "noBumpSites" could not always match.

> * It cannot match at step3 because for a splice rule to match at step3 a peek
> rule has to match at step2, and there is no peek rule that can match at step2
> in your configuration.

Althought there is no any peek rule at step2, in the second rule a final action is applied to noBumpSites (if match)
In fact, in case that (for any reason) the 2nd rule can not match, there is a explicit stare rule at step2.
So, I think that its almost impossible that splice at step3 happens in this configuration for the noBumpSites.
In the worst of the cases, if at rule #2 no match, then noBumpSites will be bumped, due to stare at step2.

Is this reasoning correct?

> > However as I said above if the splice is the first rule instead the
> > peek, the squid´s behaviour changes.
> Naturally. If you place the splice rule first, it may match during step1 as well.
> If you do not, it cannot.

That was a comment to confirm that the wiki doc warn and said at 2017's is what is  happening now with Squid 4.2 (18/9 source).

> >> After a splice rule is applied, SslBump is over. No  more rules are
> >> checked. No more loops are iterated. Squid simply "exits" the
> >> SslBump feature (and becomes a TCP tunnel).
> > Here, probably (not sure) Alex rerefered here to "splice all" rule.
> I think you are ignoring or misinterpreting the verb "applied". Here, "applied"
> means Squid has executed the rule action. Not just considered the rule
> containing that action, but actually ran that action. Applying a rule action
> implies that the rule ACLs (whatever they were) matched, of course. A rule
> action is never applied when the rule ACLs do not match.

Yes, I misinterpreted You more than one time; I'm sorry. (Because You are speaking in english, and I am reading/speaking in an "almost-english" as well as I can)
So, In the final action the ACL is important. This is what I tried to mean.
I insist, because when You said that, I thought (without understanding the logic): "OK, therefore if I splice at step2 some.site.net, the following lines are over; no more processing no matter whatever any ACL the rule has"

> > In that case is clear "splice is a final action" then no more future checks.
> The notion of a "final" action does not depend on rule ACLs.

Here is where I your explanation breaks my head. Here is the most important confusion of all of my own other confusions/misunderstanding.

In the config I posted, there is a splice action in the middle, and only the "noBumpSites" are spliced (at least checked with logs).
And even with the splice action as second rule, the 3rd rule is processed (Squid is still processing rules after splice noBumpSites ACL).
It is checked because if I remove the last rule all the traffic is spliced (due to peek at step1 and splice at step2) and future defaults actions.
I think that this happens because, if there is no 3rd line stare'ing at step2, so:
   ssl_bump splice noBumpSites = ssl_bump splice noBumpSites all. (not sure, I will do a test with only one rule, to see what Squid does: ssl_bump peek step1)

If this were the last rule, but in this configuration there is a 3rd rule which is stare'ing at step2)

> After Squid applies the "splice" action (in whatever context, for whatever reason),
> SslBump processing for that transaction is over. Same for "bump" and
> "terminate" actions.

What do You exactly mean with "for that transaction"? Maybe that rule?
> > But in my config next to splice there is an ACL. That is why I asked: "But,
> doesn't the ACL matters?" in earlier mail.
> ACLs (and other things) determine which rules match. After a rule matches,
> then Squid applies its action, and then the notion of a "final action" starts to
> matter.

Thats statement clarify the thing a bit more.

> > Will Squid ignore the last rule?
> No. The last rule will be applied at step2 whenever noBumpSites mismatches
> at step2.

Yes, I said and verified that, the last rule is not ignored by Squid, even with the splice rule at previuos rule.

> HTH,
> Alex.

Thank You very much.

More information about the squid-users mailing list