[squid-users] Working peek/splice no longer functioning on some sites

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 29 14:29:26 UTC 2017


On 28/11/17 03:50, James Lay wrote:
> On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote:
>> Perhaps an alternative is to peek only on step1:
>>
>> acl step1 at_step SslBump1
>>
>> ssl_bump peek step1
>> acl allowed_https_sites ssl::server_name_regex 
>> "/opt/etc/squid/http_url.txt"
>> ssl_bump splice allowed_https_sites
>> ssl_bump terminate all
> 
> Hrmm...wouldn't that negate the ability to read the cert on step2?
> 

Yes it would.

> In layman's terms I'm thinking:
> "peek at step1"
> "splice acl allow matched sni's"
> "peek at step2"
> "splice acl allow'd matched certs"
> "terminate the rest"
> 
> Would that work Amos?
> 

This is essentially what I suggested at the beginning.

Placing splice action and your ACLs on the first ssl_bump line ensures 
that at each step if enough details are known to splice it will happen.

The second line being "peek all" make peek happen at every step for 
which it is possible (step 1 and step 2 - not step 3).

"terminate all" being last makes it happen for "all the rest", aka step 
3 if Squid gets that far without splicing.


The only difference is that my suggested way would also allow splicing 
the CONNECT if it happens to be presented with a host name in the 
authority-URI. Which cannot happen on your proxy unless your port 3128 
happens to be intercepting traffic between clients and another proxy.


BTW please do not use port 3128 for intercept. It is officially 
registered for HTTP proxy traffic and so qualifies as "well known".

Amos


More information about the squid-users mailing list