[squid-users] SSLBUMP for specific domains
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 13 23:08:45 UTC 2023
On 13/01/2023 10:47 am, andre.bolinhas wrote:
> So is a bug for 500 or a bad configuration?
> I have also tried this setup and seams to "fix" the tcp_tunnel/500
...
> Basically the changes that I made is on peek step changing from
> ssl_bump peek ssl_step1
> To
> acl NotPeek any-of Group26
You should not need "any-of" ACL with a single entry. Just use "Group26"
directly.
> ssl_bump peek !NotPeek
>
> This is a good idea?
What you have done here is tell Squid to peek at both step1 and step2.
The peek action is not relevant at step3, which lets Squid reach the
splice rules.
The "bump" action will now be performed at step1 before any details of
the server cert are available.
This can work, but generally is a bad idea with current TLS. I recommend
doing a peek, stare, bump sequence instead for the NotPeek/Group26 traffic.
Amos
More information about the squid-users
mailing list