<div dir="ltr"><div><div><div>hmm acc to how I read this page: <a href="http://wiki.squid-cache.org/Features/SslPeekAndSplice">http://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br></div>The following *should* work, however in my test it bumps all and does not splice.<br></div>Yuri- I believe, the domain name should be available at step2 after peeking in step1. <br>Someone correct me?<br></div><div><div><div><div> <br><br>acl domains_nobump dstdomain "/etc/squid/domains_nobump.acl"<br>acl step1 at_step SslBump1<br>acl step2 at_step SslBump2<br>ssl_bump splice domains_nobump<br>ssl_bump peek step1 all<br>ssl_bump bump step2 all<br><br></div></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">-----------<br>Daniel I Greenwald<br><br><br></div></div>
<br><div class="gmail_quote">On Mon, Jan 26, 2015 at 12:53 PM, Yuri Voinov <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
You can't use dstdomain ACL for disable bumping.<br>
<br>
Only dst with IP's.<br>
<br>
You don't know site FQDN before bump. :)<br>
<br>
26.01.2015 23:48, Josep Borrell пишет:<br>
<span style="white-space:pre-wrap"><div><div class="h5">><br>
> Hi all,<br>
><br>
> <br>
><br>
> Working on squid 3.5.1 with HTTPS interception.<br>
><br>
> Trying to make a peek/splice configuration to work and avoid
bank bumping.<br>
><br>
> Until now bumping is working fine but can’t avoid to bump
sites on acl. All are bumped.<br>
><br>
> Can anybody share a working configuration or take a look at
mine to find why is not working.<br>
><br>
> <br>
><br>
> Thanks<br>
><br>
> <br>
><br>
> Josep<br>
><br>
> <br>
><br>
> Squid.conf:<br>
><br>
> <br>
><br>
> #HTTPS (SSL) trafic interception options<br>
><br>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s
/var/spool/squid3_ssldb -M 4MB<br>
><br>
> sslcrtd_children 8 startup=1 idle=1<br>
><br>
> <br>
><br>
> acl disable-ssl-bump dstdomain -i
"/etc/squid3/no-ssl-bump.acl"<br>
><br>
> acl step1 at_step SSLBump1<br>
><br>
> acl step2 at_step SSLBump2<br>
><br>
> acl step3 at_step SSLBump3<br>
><br>
> <br>
><br>
> ssl_bump peek step1 all<br>
><br>
> ssl_bump splice step2 disable-ssl-bump<br>
><br>
> ssl_bump stare step2 all<br>
><br>
> ssl_bump splice step3 disable-ssl-bump<br>
><br>
> ssl_bump bump step3 all<br>
><br>
> <br>
><br>
> http_access allow all<br>
><br>
> <br>
><br>
> http_port 3128<br>
><br>
> http_port 8080 intercept<br>
><br>
> https_port 8081 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl_cert/squidcert.pem<br>
><br>
> <br>
><br>
> forward_max_tries 25<br>
><br>
> cache_mem 2 GB<br>
><br>
> maximum_object_size_in_memory 25 MB<br>
><br>
> maximum_object_size 1 GB<br>
><br>
> <br>
><br>
> visible_hostname squid-v2<br>
><br>
> <br>
><br>
> workers 3<br>
><br>
> <br>
><br>
> coredump_dir /var/spool/squid3<br>
><br>
> cache_replacement_policy heap LFUDA<br>
><br>
> cache_dir rock /var/spool/squid3/cache1 4000 max-size=32000<br>
><br>
> cache_dir rock /var/spool/squid3/cache2 10000<br>
><br>
> <br>
><br>
> refresh_pattern ^ftp: 1440 20% 10080<br>
><br>
> refresh_pattern ^gopher: 1440 0% 10080<br>
><br>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
><br>
> refresh_pattern . 0 80% 10080<br>
><br>
> <br>
><br>
> # FortiGate interface of wccp<br>
><br>
> wccp2_router 192.168.111.1<br>
><br>
> # wccp version 2 configuration<br>
><br>
> wccp2_service standard 90<br>
><br>
> # tunneling method GRE for forward traffic<br>
><br>
> wccp2_forwarding_method gre<br>
><br>
> # tunneling method GRE for return traffic<br>
><br>
> wccp2_return_method gre<br>
><br>
> # which interface to use for WCCP (0.0.0.0 determines the
interface from routing)<br>
><br>
> wccp2_address 0.0.0.0<br>
><br>
> <br>
><br>
> /etc/squid3/no-ssl-bump.acl file:<br>
><br>
> .<a href="http://bancsabadell.com" target="_blank">bancsabadell.com</a><br>
><br>
> .<a href="http://lacaixa.com" target="_blank">lacaixa.com</a><br>
><br>
> <br>
><br>
> <br>
><br>
><br>
><br></div></div>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUxn8sAAoJENNXIZxhPexGQ5UIAJYWDE+L0pWR/cn3SNWZkpGt
<br>
LIBXoFsw7DGtvKD1ieu6WVAmHwf784ZrZpKtSUY7IW4/UBOdsLZtPeSe9WYmtBW6
<br>
mDLTxeQbrY7b2Xp3vnYGtw3nskYFOdR2SOeTqzcL82Pj/D0IChKgTxxt3z4Uv3it
<br>
1VKgV4fOBwiYd9ib2PBPeIEfVv7ZQLfgtr8+sTnHsxMLZjXuugokVpLtsRBiCukY
<br>
Dg6G7iyap4gPDn66GpsE7LgMbJYDIyRkWle8M55EgK12yspM6LuDTcyMOCfiNOZa
<br>
LMwyZhFbVh1XxS+2b2mBnmZtqKO3ylgGki6R/FRFUuZLgPhGidUena3vZgJBDbw=
<br>
=Q0Yt
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</div>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>