[squid-dev] [PATCH] Second adaptation missing for CONNECTs

Alex Rousskov rousskov at measurement-factory.com
Mon May 8 13:12:59 UTC 2017


On 05/08/2017 12:49 AM, Amos Jeffries wrote:
> 
> On 08/05/17 13:18, Alex Rousskov wrote:
>> On 03/31/2017 07:21 AM, Christos Tsantilas wrote:
>>> Avoid sending second CONNECT request to adaptation
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>> The users may not want to send the second request to the adaptation
>>> services. In this case they can use acls as follows:
>>>
>>> acl step1 at_step  SslBump1
>>> acl step2 at_step  SslBump2
>>> acl markSpliced annotate_client spliced=true
>>>
>>> ssl_bump peek step1
>>> ssl_bump splice step2 markSpliced
>>>
>>> acl markedSpliced note spliced true
>>>
>>> adaptation_access class_reqmodifing deny markSpliced
>>> adaptation_access class_reqmodifing allow all
>>
>> For the record, there is also an alternative way to avoid step2
>> adaptation (without using any annotations):
>>
>>    adaptation_access request-modifier deny step2
>>    adaptation_access request-modifier allow all
>>
>> Christos has verified that both approaches work so admins can pick the
>> one _they_ prefer (which may depend on, for example, whether they are
>> already using annotations for something else).

> So the documentation of at_step is now wrong:
>  "Never matches and should not be used outside of /ssl_bump/."

I suspect it was wrong from the very beginning, at least on the
conceptual level: That ACL should be usable during and after SslBump
steps. We may not support it in some contexts today, but the same can be
said of nearly every ACL. I suggest removing that documentation line or
at least replacing "ssl_bump" with "SslBump".


Thank you,

Alex.



More information about the squid-dev mailing list