[squid-users] Correctly implementing peak-splice
Christos Tsantilas
christos at chtsanti.net
Tue Nov 4 10:32:14 UTC 2014
On 11/03/2014 03:00 PM, James Lay wrote:
>
> Thanks Christos,
>
> So here's where I'm at...my full test config below:
> ......
>......
>
> logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%
> Sh %ssl::>cert_subject
The %ssl::>cert_subject will print the subject of the client
certificate, if there is any. In most cases the client does not sent any
certificate.
Logging the server certificate subject is not yet implemented.
>
> The above works, but allows all sites regardless of what's in url.txt.
If you want to use a list of urls to restrict sites which should bumped
you should use an external_acl helper.
You can send to the external_acl helpers the client SNI informations (on
at_step SslBump2) and/OR the server certificate subject (on at_step
SslBump3).
> Additionally, there's no logging of any kind. The allow part makes
> sense as this is the last ACL, the no logging part is confusing. If I
> add:
>
> acl broken_sites dst 69.25.139.128/25
> acl .....
> .....
> and change to
> ssl_bump peek step1 broken_sites
> ssl_bump peek step2 broken_sites
> ssl_bump splice step3 broken_sites
This is will splice any connection to broken_sites and will not bump any
other request.
>
> that works, but again...I get no logging, which is worse then "ssl_bump
> splice broken_sites", and defeats the purpose of trying to avoid having
> to create the broken_sites ACL in the first place. Lastly, if I try and
> change splice to peek or bump it's broken with odd log entries such as:
Will help if you describe what are you trying to do.
The acl broken_sites includes only IP addresses. Looks that the
peek-and-splice is not needed in your application.
You can just use "ssl_bump none broken_sites"
>
> Nov 3 05:45:23 gateway (squid-1): 192.168.1.110 - -
> [03/Nov/2014:05:45:23 -0700] "GET https://www.google.com/ HTTP/1.1" 503
> 3854 TAG_NONE:HIER_NONE -
> Nov 3 05:45:31 gateway (squid-1): 192.168.1.110 - -
> [03/Nov/2014:05:45:31 -0700] "CONNECT 206.190.36.45:443 HTTP/1.1" 403
> 3402 TCP_DENIED:HIER_NONE -
> Nov 3 05:45:31 gateway (squid-1): 192.168.1.110 - -
> [03/Nov/2014:05:45:31 -0700] "#026#003#001 %BB/%CESsJ%B3%C2%BC%CC%BD%90
> HTTP/1.1" 400 3577 TAG_NONE:HIER_NONE -
>
> Is there something I am missing? I've been really reading through the
> squid site, but I can't find any examples of peek splice. Thank you.
>
> James
More information about the squid-users
mailing list