[squid-users] Bump and Splice

Alex Rousskov rousskov at measurement-factory.com
Tue Feb 18 18:42:30 UTC 2020


On 2/17/20 9:56 AM, AndyBinder at gmx.de wrote:
> i think i am doing something wrong..

What exactly is not working now? You have not disclosed what new problem
you are facing, and Amos has given you the correct answer to your
original question.


> In brackets there are the changes i have made.
> 
> Sample snippet from my squid.conf:
> 
>     http_port 127.0.0.1:3128 name=transparent intercept ssl-bump ..
>     https_port 127.0.0.1:3129 name=transparent intercept ssl-bump ...

I have not checked, but I would not be surprised if some Squid parts
assume (or will assume) that port name is unique. I recommend avoiding
using the same name=value for two *_ports.


>     http_port 192.168.1.1:3128  ssl-bump ...

>     tls_outgoing_options ...

>     acl bump_nobumpsites ssl::server_name ...
> --> (acl bump_nobumpport myportname transparent)
> 
>     ssl_bump peek bump_step1 all
>     ssl_bump peek bump_step2 bump_nobumpsites
> --> (ssl_bump peek bump_step2 bump_nobumpport)
>     ssl_bump splice bump_step3 bump_nobumpsites
> --> (ssl_bump splice bump_step3 bump_nobumpport)
>     ssl_bump stare bump_step2
>     ssl_bump bump bump_step3

>     sslproxy_cert_error deny all

I will reorder/polish your rules slightly for clarity sake:

  ssl_bump peek bump_step1
  ssl_bump peek bump_step2 bump_nobumpsites
  ssl_bump peek bump_step2 bump_nobumpport
  ssl_bump stare bump_step2
  ssl_bump splice bump_step3 bump_nobumpsites
  ssl_bump splice bump_step3 bump_nobumpport
  ssl_bump bump bump_step3

It looks like you are trying to make a splice-or-bump decision at step3.
That is impossible because staring at step2 makes splicing (at step 3)
impossible and, similarly, peeking at step2 makes bumping (at step3)
impossible. Squid skips impossible actions (and provides step2-based
defaults) so your configuration is, essentially:

  # step1
  ssl_bump peek bump_step1

  # step2
  ssl_bump peek bump_step2 bump_nobumpport
  ssl_bump peek bump_step2 bump_nobumpsites
  ssl_bump stare all

  # step3
  ssl_bump splice all
  ssl_bump bump all

In other words, you were trying to make a splice-or-bump decision at
step3, but modern Squid has to (and does) make that decision at step2.


If you are not peeking at step2 for some useful side effect, then you
can simplify further:

  # step1
  ssl_bump peek bump_step1

  # step2
  ssl_bump splice bump_step2 bump_nobumpport
  ssl_bump splice bump_step2 bump_nobumpsites
  ssl_bump stare all

  # step3
  ssl_bump bump all


Please note that since I do not know what you are trying to accomplish
and what does not work, I cannot say why the above simplified
configuration does not do what you want it to do.


HTH,

Alex.


More information about the squid-users mailing list