[squid-users] Bump and Splice
Amos Jeffries
squid3 at treenet.co.nz
Thu Feb 20 11:20:37 UTC 2020
On 20/02/20 1:35 am, AndyBinder wrote:
>
> Currently i have 2 working bumping configurations (Squid 4.9):
>
> 1. Splice everything (working for blacklisting http and https sites without
> Bumping)
>
> ssl_bump peek bump_step1 all
> ssl_bump splice all
Following lines are unreachable. You can just erase from the config.
PS. Also you do not need the 'all' ACL on that first line.
> ssl_bump peek bump_step2 all
> ssl_bump splice bump_step3 all
> ssl_bump bump
>
> 2. Bump everything except bump_nobumpsites
>
> ssl_bump peek bump_step1 all
> ssl_bump peek bump_step2 bump_nobumpsites
> ssl_bump splice bump_step3 bump_nobumpsites
> ssl_bump stare bump_step2
> ssl_bump bump bump_step3
>
> Now i try to combine both of them into one configuration and want to decide
> weather bumping or splicing via the nametag of the port (=acl
> bump_nobumpport).
>
> Final wanted situation in words:
>
> Bump everything except bump_nobumpsites and bump_nobumpports, but the SNI must
> be visible to match agains blacklisted urls.
How important is that word "and" in your policy statement?
The config earlier used an OR condition:
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump peek bump_step2 bump_nobumpport
This would be AND condition:
ssl_bump peek bump_step2 bump_nobumpport bump_nobumpsites
>
> @Alex: I tried your configuration examples but the blacklisted urls won't match
> on https sites.
If you are matching *URLs* that is the problem. Only the domain name is
available during ssl_bump checks. The URL only appears after bumping,
and only from http_access onwards.
Amos
More information about the squid-users
mailing list