[squid-users] Connection to cache peer failed "SSL Transparent proxy'
Amos Jeffries
squid3 at treenet.co.nz
Thu Feb 7 00:47:36 UTC 2019
On 7/02/19 8:03 am, Walid A. Shaari wrote:
>
> On Wed, 6 Feb 2019 at 05:53, Amos Jeffries wrote:
>
> > ssl_bump peek step1
> >
> > ssl_bump splice azure_sites azure_sites2 #Avoid bumping
> Microsoft/Azure
> > related sites
> >
>
> The way ACLs work in Squid items on a line like "azure_sites
> azure_sites2" *both* have to match for the lines action to be used.
>
> So the above line means all those domains except *.microsoft.com
> <http://microsoft.com> will
> *not* be spliced here even if a URL domain was available.
>
>
> Sorry, I did not get that, is it because microsoft.com
> <http://microsoft.com> is duplicated by mistake twice on both lines?
>
I mean the names which only occur in one of the two ACL checks will do
possibly unwanted things. see the FAQ
<https://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for
details.
For example; when the request is for "microsoftazurestack.com" the
azure_sites2 part would be false. Which then means the splice is not done.
The only domain(s) where both azure_sites AND azure_sites2 are
matching/true are the *.microsoft.com names.
That said, I do not see any reason why you have two ACLs in the first
place. You could probably combine the two into one name and remove
azure_sites2 entirely.
PS. If the problem is line length for the list you can have multiple
'acl' lines adding different values to an ACL (like our default
Safe_Ports does) so long as the type is identical.
OR, you can also wrap config lines using a '\' right before the
end-of-line CRLF and whitespace to start the wrapped line part. Like:
directive value1 value2 \
value3 \
value4
OR, you could place the list in a file and have the ACL load the values
from there.
Amos
More information about the squid-users
mailing list