[squid-users] Squid ssl_bump always makes outbound connection

Wed Aug 29 21:14:57 UTC 2018

Thanks for testing.

I didn't got to this level yet.

I am trying to test couple aspects but I believe that this step is so fast
that I didn't noticed it even there.

Thanks,

Eliezer

----

Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
Behalf Of Eric Lackey
Sent: Saturday, August 25, 2018 5:36 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Squid ssl_bump always makes outbound connection

Using squid-4.2-1.el7.x86_64

I'm looking at ways to optimize Squid when using ssl_bump. We use the peek &
splice approach now and it works pretty well.  

While running some tests, I noticed that Squid always makes an outbound
connection to the remote server regardless of when I terminate the
connection. I'm trying to build a configuration that denies traffic
immediately if the client SNI header doesn't match without making a
connection to the remote host.

Here is a very simple configuration that should terminate all connections
after step1. The connection is terminated, but by running a tcpdump at the
same time, I see that Squid still makes an outbound connection.

acl step1 at_step SslBump1

ssl_bump terminate step1

I would expect that if I terminate after step1, the connection to the remote
server should never be made. Can anyone help me understand why Squid would
still make the outbound connection in this instance? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180830/08e6b907/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 11298 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180830/08e6b907/attachment-0001.png>