[squid-users] Bump and Splice
AndyBinder at gmx.de
AndyBinder at gmx.de
Wed Feb 19 12:35:22 UTC 2020
Am Dienstag, 18. Februar 2020, 19:42:30 CET schrieb Alex Rousskov:
> On 2/17/20 9:56 AM, AndyBinder at gmx.de wrote:
> > i think i am doing something wrong..
>
> What exactly is not working now? You have not disclosed what new problem
> you are facing, and Amos has given you the correct answer to your
> original question.
>
> > In brackets there are the changes i have made.
> >
> > Sample snippet from my squid.conf:
> > http_port 127.0.0.1:3128 name=transparent intercept ssl-bump ..
> > https_port 127.0.0.1:3129 name=transparent intercept ssl-bump ...
>
> I have not checked, but I would not be surprised if some Squid parts
> assume (or will assume) that port name is unique. I recommend avoiding
> using the same name=value for two *_ports.
>
> > http_port 192.168.1.1:3128 ssl-bump ...
> >
> > tls_outgoing_options ...
> >
> > acl bump_nobumpsites ssl::server_name ...
> >
> > --> (acl bump_nobumpport myportname transparent)
> >
> > ssl_bump peek bump_step1 all
> > ssl_bump peek bump_step2 bump_nobumpsites
> >
> > --> (ssl_bump peek bump_step2 bump_nobumpport)
> >
> > ssl_bump splice bump_step3 bump_nobumpsites
> >
> > --> (ssl_bump splice bump_step3 bump_nobumpport)
> >
> > ssl_bump stare bump_step2
> > ssl_bump bump bump_step3
> >
> > sslproxy_cert_error deny all
>
> I will reorder/polish your rules slightly for clarity sake:
>
> ssl_bump peek bump_step1
> ssl_bump peek bump_step2 bump_nobumpsites
> ssl_bump peek bump_step2 bump_nobumpport
> ssl_bump stare bump_step2
> ssl_bump splice bump_step3 bump_nobumpsites
> ssl_bump splice bump_step3 bump_nobumpport
> ssl_bump bump bump_step3
>
> It looks like you are trying to make a splice-or-bump decision at step3.
> That is impossible because staring at step2 makes splicing (at step 3)
> impossible and, similarly, peeking at step2 makes bumping (at step3)
> impossible. Squid skips impossible actions (and provides step2-based
> defaults) so your configuration is, essentially:
>
> # step1
> ssl_bump peek bump_step1
>
> # step2
> ssl_bump peek bump_step2 bump_nobumpport
> ssl_bump peek bump_step2 bump_nobumpsites
> ssl_bump stare all
>
> # step3
> ssl_bump splice all
> ssl_bump bump all
>
> In other words, you were trying to make a splice-or-bump decision at
> step3, but modern Squid has to (and does) make that decision at step2.
>
>
> If you are not peeking at step2 for some useful side effect, then you
> can simplify further:
>
> # step1
> ssl_bump peek bump_step1
>
> # step2
> ssl_bump splice bump_step2 bump_nobumpport
> ssl_bump splice bump_step2 bump_nobumpsites
> ssl_bump stare all
>
> # step3
> ssl_bump bump all
>
>
> Please note that since I do not know what you are trying to accomplish
> and what does not work, I cannot say why the above simplified
> configuration does not do what you want it to do.
>
>
> HTH,
>
> Alex.
Thank You both for your answers and explanations!
Okay, i will try to explain my original intention.
Currently i have 2 working bumping configurations (Squid 4.9):
1. Splice everything (working for blacklisting http and https sites without
Bumping)
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump
2. Bump everything except bump_nobumpsites
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
Now i try to combine both of them into one configuration and want to decide
weather bumping or splicing via the nametag of the port (=acl
bump_nobumpport).
Final wanted situation in words:
Bump everything except bump_nobumpsites and bump_nobumpports, but the SNI must
be visible to match agains blacklisted urls.
@Alex: I tried your configuration examples but the blacklisted urls won't match
on https sites.
Thanks Andy
More information about the squid-users
mailing list