[squid-users] Working peek/splice no longer functioning on some sites

torson cofkomail at gmail.com
Sun Sep 1 20:44:04 UTC 2019


For me it works with "ssl_bump peek step1", not with "ssl_bump peek all".

My working config using Squid 4.8:
---
visible_hostname squid
debug_options ALL,1
positive_dns_ttl 0
negative_dns_ttl 0
client_persistent_connections off
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdom_regex "/etc/squid/allow_list.conf"
http_access allow allowed_http_sites
https_port 3130 intercept ssl-bump \
  tls-cert=/etc/squid/ssl/squid-ca-cert-key.pem \
  options=SINGLE_DH_USE,SINGLE_ECDH_USE,NO_SSLv2,NO_SSLv3 \
  tls-dh=/etc/squid/ssl/dhparam.pem
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name_regex "/etc/squid/allow_list.conf"
tls_outgoing_options cafile=/etc/ssl/certs/ca-certificates.crt
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice allowed_https_sites
ssl_bump terminate all
http_access deny all
logformat general      %tl %6tr %>a %Ss/%03>Hs %<st %rm %ssl::bump_mode %ru
%ssl::>sni 
access_log daemon:/var/log/squid/access.log general
---

One thing to note are the "positive_dns_ttl 0" and "negative_dns_ttl 0"
directives ; my findings are that DNS caching needs to be set to zero in
cases where DNS records get changed every minute due to roundrobin combined
with hosting in environments where record changes faster than TTL - on AWS
where you're hitting different DNS servers with each having a different TTL.
I was getting a lot of host forgery errors before setting those to 0.
This is in addition to all the servers using the same DNS address.




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list