[squid-users] Correctly implementing peak-splice
Dan Charlesworth
dan at getbusi.com
Sun Nov 2 02:29:17 UTC 2014
And now I’m going to bump this thread because I too would like to hear from anyone that has an example of Peek/splice functioning in 3.5 beta.
> On 30 Oct 2014, at 11:06 pm, James Lay <jlay at slave-tothe-box.net> wrote:
>
> Hello all,
>
> Here is my complete config for trying out peek/splice. This currently
> does not work..is there something obvious that I'm mission? Current
> error is:
>
> Oct 30 06:03:14 gateway squid: 192.168.1.110 - - [30/Oct/2014:06:03:14
> -0600] "GET https://www.google.com/ HTTP/1.1" 503 3854
> TAG_NONE:HIER_NONE
>
> and on the page I get a 71 protocol error and a SSL3_WRITE_PENDING:bad
> write retry.
>
> Thank you.
>
> James
>
> acl localnet src 192.168.1.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
> acl allowed_sites url_regex "/opt/etc/squid/url.txt"
> acl all_others dst all
> acl SSL method CONNECT
>
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access allow allowed_sites
> http_access deny all_others
> http_access allow localnet
> http_access allow localhost
>
> http_access deny all
> icp_access deny all
>
> sslproxy_cert_error allow all
>
> sslproxy_options ALL
> sslproxy_flags DONT_VERIFY_PEER
>
> ssl_bump peek all
>
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/etc/squid/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> http_port 192.168.1.253:3128 intercept
>
> https_port 192.168.1.253:3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key
> options=ALL sslflags=NO_SESSION_REUSE
>
> always_direct allow all
>
>
> access_log syslog:daemon.info common
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> icp_port 3130
>
> coredump_dir /opt/var
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list