[squid-users] kinda confused about Peek and Splice

Alex Rousskov rousskov at measurement-factory.com
Sat Sep 19 22:44:34 UTC 2015


On 09/19/2015 10:19 AM, Marek Serafin wrote:
>>> acl nobumpSites ssl::server_name "/etc/squid3/allowed_SSL_sites.txt"
>>> ssl_bump peek step1
>>> ssl_bump splice step2 nobumpSites
>>> ssl_bump bump all

>> I do not see the reason for the "step2" ACL in the above. Do you?

> it should be either "ssl_bump splice nobumpSites"

Yes, that version makes sense to me if you want to splice based on
client-provided info such as SNI (and not based on any server-provided
info).


> or peek at step 2 and
> splice it at step 3, right?  (depending on how deep we want to check) e.g:
> 
> ssl_bump peek step1 all
> ssl_bump peek step2 nobumpSites
> ssl_bump splice step3 nobumpSites
> ssl_bump bump all


Writing "all" after any other ACL should not be needed. It only wastes
CPU cycles (Squid currently does not optimize this case).

In recent Squids, writing "step2" in "peek step2" _after_ "peek step1"
is not needed: "peek step1" will always match during step1 so the second
peek rule will not get executed during step1. No "peek" rule can match
during step3. Thus, the second peek rule will be automatically
restricted to step2.

If you combine the above, you get:

  ssl_bump peek step1
  ssl_bump peek nobumpSites
  ssl_bump splice step3 nobumpSites
  ssl_bump bump all

The above can be simplified further because if the transaction does not
match nobumpSites at step2, then the last rule will match and the
transaction will be bumped. Thus, only nobumpSites transactions will get
to step3 and we can remove the nobumpSites restriction from that step
(besides, it would be too late to bump at step3 anyway):

  ssl_bump peek step1
  ssl_bump peek nobumpSites
  ssl_bump splice step3
  ssl_bump bump all

Furthermore, _if_ you do not need the side-effects (e.g., server
certificate validation) of getting to step3 for nobumpSites, then you
may splice during step2:

  ssl_bump peek step1
  ssl_bump splice nobumpSites
  ssl_bump bump all

which is actually the same as the other configuration you have considered!..


> I got it! I was thinking all the time that action taken at step 1 and
> step 2 (peeking or staring) is common to all connections. That's why I
> considered peeking at step 2 as useless because if server_name will not
> match the whitelist (majority of webpages) it would be impossible to
> bump the connection. And that are separate rules!!! like this:
> 
> ## peeking at first step is mostly/always good idea (to get the SNI)
> ssl_bump peek step1 all
> 
> # we want to check deeply what we're gonna splice
> ssl_bump peek step2 nobumpSites
> ssl_bump splice step3 nobumpSites
> 
> ### we're bumping the rest. Fake cert will be generated
> ### based on server's cert (that's why we want to bump at step 3)
> ssl_bump stare step2 all
> ssl_bump bump step3 all
> 
> 
> Does it make some sense?

Yes, but it can be simplified using reasoning similar to the one I
provided above.


Cheers,

Alex.



More information about the squid-users mailing list