[squid-users] Working peek/splice no longer functioning on some sites
cofkomail at gmail.com
Sun Sep 1 20:44:04 UTC 2019
For me it works with "ssl_bump peek step1", not with "ssl_bump peek all".
My working config using Squid 4.8:
http_port 3129 intercept
acl allowed_http_sites dstdom_regex "/etc/squid/allow_list.conf"
http_access allow allowed_http_sites
https_port 3130 intercept ssl-bump \
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name_regex "/etc/squid/allow_list.conf"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice allowed_https_sites
ssl_bump terminate all
http_access deny all
logformat general %tl %6tr %>a %Ss/%03>Hs %<st %rm %ssl::bump_mode %ru
access_log daemon:/var/log/squid/access.log general
One thing to note are the "positive_dns_ttl 0" and "negative_dns_ttl 0"
directives ; my findings are that DNS caching needs to be set to zero in
cases where DNS records get changed every minute due to roundrobin combined
with hosting in environments where record changes faster than TTL - on AWS
where you're hitting different DNS servers with each having a different TTL.
I was getting a lot of host forgery errors before setting those to 0.
This is in addition to all the servers using the same DNS address.
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users