On 08/21/2014 07:06 PM, Jatin Bhasin wrote: > So, can somebody suggest me if there is a way to pass a flag to squid > from ecap adapter to decrypt a site regardless of what ACL says. For > example if I have an acl as below which says do not decrypt > www.888.com but If my ecap adapter could pass a message to squid > asking it to decrypt www.888.com (for that session only) and ignore > the below acl. > Is it possible? Given a recent-enough Squid version, an adaptation service can control Squid behavior via the annotations mechanism and the "note" ACL associated with it. For example, your eCAP adapter can return an X-Bump:yes annotation(**) that Squid can then match using the note ACL. Something along these untested lines: acl note toBump X-Bump yes ssl_bump server-first toBump ssl_bump server-first ... ssl_bump none all This mechanism should be supported for ssl_bump ACLs but I have not tested that claim myself. HTH, Alex. (**) In eCAP terminology, an X-Bump:yes annotation is an adapter transaction option named X-Bump with a "yes" value. See libecap::Options, which is a parent of libecap::adapter::Xaction.
