On Mon, 2014-11-03 at 12:24 +0200, Christos Tsantilas wrote: > On 10/30/2014 02:06 PM, James Lay wrote: > > Hello all, > > > > Here is my complete config for trying out peek/splice. This currently > > does not work..is there something obvious that I'm mission? Current > > error is: > > > > Oct 30 06:03:14 gateway squid: 192.168.1.110 - - [30/Oct/2014:06:03:14 > > -0600] "GET https://www.google.com/ HTTP/1.1" 503 3854 > > TAG_NONE:HIER_NONE > > > > and on the page I get a 71 protocol error and a SSL3_WRITE_PENDING:bad > > write retry. > > - You should use at_step acl to configure different bumping modes on > each bumping step. > > - If you used "peek" mode on SslBump1 and SslBump2 steps then on > SslBump3 step you should use "splice". If you select "bump" the most > possible is that you got SSL connection errors. > The "peek" mode on SslBump3 step is interpreted as "bump" mode. > > -if you selected peek mode on SslBump1 and SslBump2 steps, in most > cases, you can select only "terminate" or "splice" for SslBump3 step. > > The following configuration should work: > > # Bumping steps: > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > > # Selecting bumping mode > ssl_bump peek step1 all > ssl_bump peek step2 all > ssl_bump splice step3 all > > Regards, > Christos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Thanks Christos, So here's where I'm at...my full test config below: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 777 # multiling http acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl CONNECT method CONNECT acl allowed_sites url_regex "/opt/etc/squid/url.txt" acl all_others dst all acl SSL method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager localhost http_access deny manager http_access allow allowed_sites http_access deny all_others http_access allow localnet http_access allow localhost http_access deny all icp_access deny all sslproxy_cert_error allow all sslproxy_options ALL sslproxy_flags DONT_VERIFY_PEER ssl_bump peek step1 all ssl_bump peek step2 all ssl_bump splice step3 all http_port 192.168.1.253:3128 intercept https_port 192.168.1.253:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key options=ALL sslflags=NO_SESSION_REUSE always_direct allow all logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:% Sh %ssl::>cert_subject access_log syslog:daemon.info common The above works, but allows all sites regardless of what's in url.txt. Additionally, there's no logging of any kind. The allow part makes sense as this is the last ACL, the no logging part is confusing. If I add: acl broken_sites dst 69.25.139.128/25 acl broken_sites dst 65.55.0.0/16 acl broken_sites dst 72.246.0.0/16 acl broken_sites dst 54.224.0.0/12 acl broken_sites dst 17.0.0.0/8 acl broken_sites dst 69.192.0.0/16 acl broken_sites dst 209.59.128.0/18 acl broken_sites dst 173.194.0.0/16 acl broken_sites dst 107.20.0.0/14 acl broken_sites dst 54.72.0.0/13 acl broken_sites dst 54.80.0.0/12 acl broken_sites dst 23.0.0.0/12 acl broken_sites dst 23.192.0.0/11 acl broken_sites dst 8.25.205.0/24 acl broken_sites dst 75.126.0.0/16 acl broken_sites dst 74.125.0.0/16 acl broken_sites dst 192.195.204.0/24 acl broken_sites dst 96.16.0.0/15 and change to ssl_bump peek step1 broken_sites ssl_bump peek step2 broken_sites ssl_bump splice step3 broken_sites that works, but again...I get no logging, which is worse then "ssl_bump splice broken_sites", and defeats the purpose of trying to avoid having to create the broken_sites ACL in the first place. Lastly, if I try and change splice to peek or bump it's broken with odd log entries such as: Nov 3 05:45:23 gateway (squid-1): 192.168.1.110 - - [03/Nov/2014:05:45:23 -0700] "GET https://www.google.com/ HTTP/1.1" 503 3854 TAG_NONE:HIER_NONE - Nov 3 05:45:31 gateway (squid-1): 192.168.1.110 - - [03/Nov/2014:05:45:31 -0700] "CONNECT 206.190.36.45:443 HTTP/1.1" 403 3402 TCP_DENIED:HIER_NONE - Nov 3 05:45:31 gateway (squid-1): 192.168.1.110 - - [03/Nov/2014:05:45:31 -0700] "#026#003#001 %BB/%CESsJ%B3%C2%BC%CC%BD%90 HTTP/1.1" 400 3577 TAG_NONE:HIER_NONE - Is there something I am missing? I've been really reading through the squid site, but I can't find any examples of peek splice. Thank you. James _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
