<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
You can't use dstdomain ACL for disable bumping.<br>
<br>
Only dst with IP's.<br>
<br>
You don't know site FQDN before bump. :)<br>
<br>
26.01.2015 23:48, Josep Borrell пишет:<br>
<span style="white-space: pre;">><br>
> Hi all,<br>
><br>
> <br>
><br>
> Working on squid 3.5.1 with HTTPS interception.<br>
><br>
> Trying to make a peek/splice configuration to work and avoid
bank bumping.<br>
><br>
> Until now bumping is working fine but can’t avoid to bump
sites on acl. All are bumped.<br>
><br>
> Can anybody share a working configuration or take a look at
mine to find why is not working.<br>
><br>
> <br>
><br>
> Thanks<br>
><br>
> <br>
><br>
> Josep<br>
><br>
> <br>
><br>
> Squid.conf:<br>
><br>
> <br>
><br>
> #HTTPS (SSL) trafic interception options<br>
><br>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s
/var/spool/squid3_ssldb -M 4MB<br>
><br>
> sslcrtd_children 8 startup=1 idle=1<br>
><br>
> <br>
><br>
> acl disable-ssl-bump dstdomain -i
"/etc/squid3/no-ssl-bump.acl"<br>
><br>
> acl step1 at_step SSLBump1<br>
><br>
> acl step2 at_step SSLBump2<br>
><br>
> acl step3 at_step SSLBump3<br>
><br>
> <br>
><br>
> ssl_bump peek step1 all<br>
><br>
> ssl_bump splice step2 disable-ssl-bump<br>
><br>
> ssl_bump stare step2 all<br>
><br>
> ssl_bump splice step3 disable-ssl-bump<br>
><br>
> ssl_bump bump step3 all<br>
><br>
> <br>
><br>
> http_access allow all<br>
><br>
> <br>
><br>
> http_port 3128<br>
><br>
> http_port 8080 intercept<br>
><br>
> https_port 8081 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl_cert/squidcert.pem<br>
><br>
> <br>
><br>
> forward_max_tries 25<br>
><br>
> cache_mem 2 GB<br>
><br>
> maximum_object_size_in_memory 25 MB<br>
><br>
> maximum_object_size 1 GB<br>
><br>
> <br>
><br>
> visible_hostname squid-v2<br>
><br>
> <br>
><br>
> workers 3<br>
><br>
> <br>
><br>
> coredump_dir /var/spool/squid3<br>
><br>
> cache_replacement_policy heap LFUDA<br>
><br>
> cache_dir rock /var/spool/squid3/cache1 4000 max-size=32000<br>
><br>
> cache_dir rock /var/spool/squid3/cache2 10000<br>
><br>
> <br>
><br>
> refresh_pattern ^ftp: 1440 20% 10080<br>
><br>
> refresh_pattern ^gopher: 1440 0% 10080<br>
><br>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
><br>
> refresh_pattern . 0 80% 10080<br>
><br>
> <br>
><br>
> # FortiGate interface of wccp<br>
><br>
> wccp2_router 192.168.111.1<br>
><br>
> # wccp version 2 configuration<br>
><br>
> wccp2_service standard 90<br>
><br>
> # tunneling method GRE for forward traffic<br>
><br>
> wccp2_forwarding_method gre<br>
><br>
> # tunneling method GRE for return traffic<br>
><br>
> wccp2_return_method gre<br>
><br>
> # which interface to use for WCCP (0.0.0.0 determines the
interface from routing)<br>
><br>
> wccp2_address 0.0.0.0<br>
><br>
> <br>
><br>
> /etc/squid3/no-ssl-bump.acl file:<br>
><br>
> .bancsabadell.com<br>
><br>
> .lacaixa.com<br>
><br>
> <br>
><br>
> <br>
><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUxn8sAAoJENNXIZxhPexGQ5UIAJYWDE+L0pWR/cn3SNWZkpGt
<br>
LIBXoFsw7DGtvKD1ieu6WVAmHwf784ZrZpKtSUY7IW4/UBOdsLZtPeSe9WYmtBW6
<br>
mDLTxeQbrY7b2Xp3vnYGtw3nskYFOdR2SOeTqzcL82Pj/D0IChKgTxxt3z4Uv3it
<br>
1VKgV4fOBwiYd9ib2PBPeIEfVv7ZQLfgtr8+sTnHsxMLZjXuugokVpLtsRBiCukY
<br>
Dg6G7iyap4gPDn66GpsE7LgMbJYDIyRkWle8M55EgK12yspM6LuDTcyMOCfiNOZa
<br>
LMwyZhFbVh1XxS+2b2mBnmZtqKO3ylgGki6R/FRFUuZLgPhGidUena3vZgJBDbw=
<br>
=Q0Yt
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>