<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
In theory.<br>
<br>
I don't see any 3.5.x bump working yet.<br>
<br>
In 3.4.x bumping not chunked to stages and only IP-based dst acls
will working.<br>
<br>
27.01.2015 1:54, Daniel Greenwald пишет:<br>
<span style="white-space: pre;">> hmm acc to how I read this
page: <a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/Features/SslPeekAndSplice">http://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
> The following *should* work, however in my test it bumps all
and does not splice.<br>
> Yuri- I believe, the domain name should be available at step2
after peeking in step1.<br>
> Someone correct me?<br>
> <br>
><br>
> acl domains_nobump dstdomain "/etc/squid/domains_nobump.acl"<br>
> acl step1 at_step SslBump1<br>
> acl step2 at_step SslBump2<br>
> ssl_bump splice domains_nobump<br>
> ssl_bump peek step1 all<br>
> ssl_bump bump step2 all<br>
><br>
><br>
> -----------<br>
> Daniel I Greenwald<br>
><br>
><br>
><br>
> On Mon, Jan 26, 2015 at 12:53 PM, Yuri Voinov
<<a class="moz-txt-link-abbreviated" href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>> wrote:<br>
><br>
><br>
> You can't use dstdomain ACL for disable bumping.<br>
><br>
> Only dst with IP's.<br>
><br>
> You don't know site FQDN before bump. :)<br>
><br>
> 26.01.2015 23:48, Josep Borrell пишет:<br>
><br>
> > Hi all,<br>
><br>
><br>
><br>
> > Working on squid 3.5.1 with HTTPS interception.<br>
><br>
> > Trying to make a peek/splice configuration to work and
avoid bank bumping.<br>
><br>
> > Until now bumping is working fine but can’t avoid to
bump sites on acl. All are bumped.<br>
><br>
> > Can anybody share a working configuration or take a look
at mine to find why is not working.<br>
><br>
><br>
><br>
> > Thanks<br>
><br>
><br>
><br>
> > Josep<br>
><br>
><br>
><br>
> > Squid.conf:<br>
><br>
><br>
><br>
> > #HTTPS (SSL) trafic interception options<br>
><br>
> > sslcrtd_program /usr/lib/squid3/ssl_crtd -s
/var/spool/squid3_ssldb -M 4MB<br>
><br>
> > sslcrtd_children 8 startup=1 idle=1<br>
><br>
><br>
><br>
> > acl disable-ssl-bump dstdomain -i
"/etc/squid3/no-ssl-bump.acl"<br>
><br>
> > acl step1 at_step SSLBump1<br>
><br>
> > acl step2 at_step SSLBump2<br>
><br>
> > acl step3 at_step SSLBump3<br>
><br>
><br>
><br>
> > ssl_bump peek step1 all<br>
><br>
> > ssl_bump splice step2 disable-ssl-bump<br>
><br>
> > ssl_bump stare step2 all<br>
><br>
> > ssl_bump splice step3 disable-ssl-bump<br>
><br>
> > ssl_bump bump step3 all<br>
><br>
><br>
><br>
> > http_access allow all<br>
><br>
><br>
><br>
> > http_port 3128<br>
><br>
> > http_port 8080 intercept<br>
><br>
> > https_port 8081 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl_cert/squidcert.pem<br>
><br>
><br>
><br>
> > forward_max_tries 25<br>
><br>
> > cache_mem 2 GB<br>
><br>
> > maximum_object_size_in_memory 25 MB<br>
><br>
> > maximum_object_size 1 GB<br>
><br>
><br>
><br>
> > visible_hostname squid-v2<br>
><br>
><br>
><br>
> > workers 3<br>
><br>
><br>
><br>
> > coredump_dir /var/spool/squid3<br>
><br>
> > cache_replacement_policy heap LFUDA<br>
><br>
> > cache_dir rock /var/spool/squid3/cache1 4000
max-size=32000<br>
><br>
> > cache_dir rock /var/spool/squid3/cache2 10000<br>
><br>
><br>
><br>
> > refresh_pattern ^ftp: 1440 20% 10080<br>
><br>
> > refresh_pattern ^gopher: 1440 0% 10080<br>
><br>
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
><br>
> > refresh_pattern . 0 80% 10080<br>
><br>
><br>
><br>
> > # FortiGate interface of wccp<br>
><br>
> > wccp2_router 192.168.111.1<br>
><br>
> > # wccp version 2 configuration<br>
><br>
> > wccp2_service standard 90<br>
><br>
> > # tunneling method GRE for forward traffic<br>
><br>
> > wccp2_forwarding_method gre<br>
><br>
> > # tunneling method GRE for return traffic<br>
><br>
> > wccp2_return_method gre<br>
><br>
> > # which interface to use for WCCP (0.0.0.0 determines
the interface from routing)<br>
><br>
> > wccp2_address 0.0.0.0<br>
><br>
><br>
><br>
> > /etc/squid3/no-ssl-bump.acl file:<br>
><br>
> > .bancsabadell.com <a class="moz-txt-link-rfc2396E" href="http://bancsabadell.com"><http://bancsabadell.com></a><br>
><br>
> > .lacaixa.com <a class="moz-txt-link-rfc2396E" href="http://lacaixa.com"><http://lacaixa.com></a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > _______________________________________________<br>
> > squid-users mailing list<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
> > <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUxpxMAAoJENNXIZxhPexG43IH/Rk6elTzB7xFtG7wNx+juAHC
<br>
9MdVKxR6QFnlBWn/A6KNWZK1vNCv6+N3n2RPD6OUCPiLrEQIA2h20BceEjMYkM1A
<br>
Fw6Gk+ImowMJ2K6H5+X5MKFwvOLsaKtO8Tm4b299+42Xkvg2oFxFO0BeX8GJaWAm
<br>
aq4NsUN6pzJK51CRTKe5ZwGpJ2kN0rtgDaILAV1shX3jnWnrWJMV41ZJGLtWEnDX
<br>
pZ45unu1qjVDOs6ibaFDDX6ehWnfXh/WhLq0TwWPu0AaoCn28Sid0Y3V/4ShKFpH
<br>
EP2Jgs10Oyi7/Ph7o4RtFGONUNhVGrl2QdftM+MOZPsCvRIrYF4pff5gjd0R8EU=
<br>
=Xdb5
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>