[squid-users] About SSL peek-n-splice/bump configurations
Alex Rousskov
rousskov at measurement-factory.com
Wed Sep 26 19:41:58 UTC 2018
On 09/26/2018 11:40 AM, Julian Perconti wrote:
>> It is impossible for any transaction to be spliced at step3 with this
>> configuration. Whether the transaction matches or does not match
>> noBumpSites at any given step is irrelevant for this statement.
>
> OK: In this configuration it is impossible any kind of splice at step3; but not for step2.
Yes, your configuration makes splicing possible at step2 (and only at
step2).
> Strictly speaking final actions (and maybe any action) do not depend
> on the acl, let's say it is a natural function/behavior of Squid
> beyond any acl.
Correct.
> However, when a final action is present in a rule and that rule
> contains an ACL, the final action will apply to that ACL.
"apply to ACL" does not make sense.
ACLs of a [final] action rule affect when the final action is applied.
They are a necessary (but not sufficient) preconditions for applying the
action.
>> An action presence in the rules does not, on its own, stop Squid from
>> processing lower rules. *Applying* a final action does.
> So, why squid process the last rule which stare at step 2? He already
> applied the splice to the ACL sites.
For your configuration:
* If Squid applied the splice rule, then it will ignore the stare rule.
* If Squid reached but did _not_ apply the splice rule, then it will
apply the stare rule instead.
FWIW, I do not understand why you do not seem to understand this fairly
straightforward algorithm so I cannot explain it better. I can correct
your statements, but I do not know _why_ you keep making statements that
need correction. We are running in circles. It could be just a language
barrier.
> So going back to current config:
>
> ssl_bump peek step1
> ssl_bump splice noBumpSites
> ssl_bump stare step2
> Due to I think that: the splice action happens at step2 (more
> checks?), and not at step 1 (less checks);
Correct.
> This is the config the one of best fit to my necessities.
Glad you found what you were looking for.
This is minor, but replacing "step2" in the last/stare rule with "all"
would be slightly better because "all" is simpler and should be faster
to compute than "step2". This minor simplification/optimization will not
change the overall meaning of the configuration.
I added a similar configuration example to Squid wiki at
https://wiki.squid-cache.org/Features/SslPeekAndSplice
HTH,
Alex.
More information about the squid-users
mailing list