On 11/03/2014 03:00 PM, James Lay wrote:
Thanks Christos,
So here's where I'm at...my full test config below:
......
......
logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%
Sh %ssl::>cert_subject
The %ssl::>cert_subject will print the subject of the client
certificate, if there is any. In most cases the client does not sent any
certificate.
Logging the server certificate subject is not yet implemented.
The above works, but allows all sites regardless of what's in url.txt.
If you want to use a list of urls to restrict sites which should bumped
you should use an external_acl helper.
You can send to the external_acl helpers the client SNI informations (on
at_step SslBump2) and/OR the server certificate subject (on at_step
SslBump3).
Additionally, there's no logging of any kind. The allow part makes
sense as this is the last ACL, the no logging part is confusing. If I
add:
acl broken_sites dst 69.25.139.128/25
acl .....
> .....
and change to
ssl_bump peek step1 broken_sites
ssl_bump peek step2 broken_sites
ssl_bump splice step3 broken_sites
This is will splice any connection to broken_sites and will not bump any
other request.
that works, but again...I get no logging, which is worse then "ssl_bump
splice broken_sites", and defeats the purpose of trying to avoid having
to create the broken_sites ACL in the first place. Lastly, if I try and
change splice to peek or bump it's broken with odd log entries such as:
Will help if you describe what are you trying to do.
The acl broken_sites includes only IP addresses. Looks that the
peek-and-splice is not needed in your application.
You can just use "ssl_bump none broken_sites"
Nov 3 05:45:23 gateway (squid-1): 192.168.1.110 - -
[03/Nov/2014:05:45:23 -0700] "GET https://www.google.com/ HTTP/1.1" 503
3854 TAG_NONE:HIER_NONE -
Nov 3 05:45:31 gateway (squid-1): 192.168.1.110 - -
[03/Nov/2014:05:45:31 -0700] "CONNECT 206.190.36.45:443 HTTP/1.1" 403
3402 TCP_DENIED:HIER_NONE -
Nov 3 05:45:31 gateway (squid-1): 192.168.1.110 - -
[03/Nov/2014:05:45:31 -0700] "#026#003#001 %BB/%CESsJ%B3%C2%BC%CC%BD%90
HTTP/1.1" 400 3577 TAG_NONE:HIER_NONE -
Is there something I am missing? I've been really reading through the
squid site, but I can't find any examples of peek splice. Thank you.
James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
