[squid-users] About SSL peek-n-splice/bump configurations

Alex Rousskov rousskov at measurement-factory.com
Wed Sep 26 19:41:58 UTC 2018


On 09/26/2018 11:40 AM, Julian Perconti wrote:

>> It is impossible for any transaction to be spliced at step3 with this
>> configuration. Whether the transaction matches or does not match
>> noBumpSites at any given step is irrelevant for this statement.
> 
> OK: In this configuration it is impossible any kind of splice at step3; but not for step2.

Yes, your configuration makes splicing possible at step2 (and only at
step2).




> Strictly speaking final actions (and maybe any action) do not depend
> on the acl, let's say it is a natural function/behavior of Squid
> beyond any acl.


Correct.


> However, when a final action is present in a rule and that rule
> contains an ACL, the final action will apply to that ACL.

"apply to ACL" does not make sense.

ACLs of a [final] action rule affect when the final action is applied.
They are a necessary (but not sufficient) preconditions for applying the
action.



>> An action presence in the rules does not, on its own, stop Squid from
>> processing lower rules. *Applying* a final action does.

> So, why squid process the last rule which stare at step 2? He already
> applied the splice to the ACL sites.

For your configuration:

* If Squid applied the splice rule, then it will ignore the stare rule.

* If Squid reached but did _not_ apply the splice rule, then it will
apply the stare rule instead.

FWIW, I do not understand why you do not seem to understand this fairly
straightforward algorithm so I cannot explain it better. I can correct
your statements, but I do not know _why_ you keep making statements that
need correction. We are running in circles. It could be just a language
barrier.


> So going back to current config:
> 
>   ssl_bump peek step1
>   ssl_bump splice noBumpSites
>   ssl_bump stare step2

> Due to I think that: the splice action happens at step2 (more
> checks?), and not at step 1 (less checks); 

Correct.


> This is the config the one of best fit to my necessities.

Glad you found what you were looking for.

This is minor, but replacing "step2" in the last/stare rule with "all"
would be slightly better because "all" is simpler and should be faster
to compute than "step2". This minor simplification/optimization will not
change the overall meaning of the configuration.

I added a similar configuration example to Squid wiki at
https://wiki.squid-cache.org/Features/SslPeekAndSplice


HTH,

Alex.


More information about the squid-users mailing list