|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not about it. server-first keyword deprecated in 3.5.x. AFAIK, keywork "bump" now has yet another meaningful. And also: in your example can only use acl "all". Any other ACL's leading "Bungled config line" error. I.e, for example, acl net_bump acl net_bump src 192.168.101.0/24 ssl_bump peek step1 net_bump ssl_bump server-first step2 net_bump breaks configuration. 26.01.2015 22:14, Daniel Greenwald пишет: > call it what you want, it works :) > > ----------- > Daniel I Greenwald > > > > On Mon, Jan 26, 2015 at 10:51 AM, Yuri Voinov <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>> wrote: > > > Daniel, > > well, > > but AFAIK server-first directive is deprecated in 3.5.x. > > Hmmmmmm? > > 26.01.2015 19:37, Daniel Greenwald пишет: > > See below. Nothing else too interesting. Those four lines were the key. > > > http_port 3128 > > http_port 3180 intercept > > https_port 3443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid/ssl_cert/myCA.pem > > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 16MB > > sslcrtd_children 10 > > logformat dig %{%Y-%m-%d %H:%M:%S}tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A "%{User-Agent}>h" > > logfile_rotate 10 > > access_log /var/log/squid/access.log dig > > pinger_enable off > > > acl step1 at_step SslBump1 > > acl step2 at_step SslBump2 > > ssl_bump peek step1 all > > ssl_bump server-first step2 all > > > acl SSL_ports port 443 > > acl Safe_ports port 80 443 > > acl CONNECT method CONNECT > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > > http_access allow localhost manager > > http_access deny manager > > http_access deny to_localhost > > > http_access allow all > > http_access deny all > > > # Uncomment and adjust the following to add a disk cache directory. > > #cache_dir ufs /var/spool/squid 100 16 256 > > > # Leave coredumps in the first cache dir > > coredump_dir /var/spool/squid > > > # > > # Add any of your own refresh_pattern entries above these. > > # > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > > > > > > ----------- > > Daniel I Greenwald > > > > > On Mon, Jan 26, 2015 at 3:28 AM, Rafael Akchurin <rafael.akchurin@xxxxxxxxxxxx <mailto:rafael.akchurin@xxxxxxxxxxxx> <mailto:rafael.akchurin@xxxxxxxxxxxx> <mailto:rafael.akchurin@xxxxxxxxxxxx>> wrote: > > > Hello Daniel, Yuri > > > > May be you could dump your whole squid.conf here (please remove any sensitive details). > > > I still cannot understand once Squid has the target server hostname from SNI - where is the acl/rule in squid.conf that can be used with this info present? > > > > Best regards, > > > Rafael > > > > ------------------------- > > *From:* squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>> on behalf of Daniel Greenwald <dig@xxxxxxxxxxx <mailto:dig@xxxxxxxxxxx> <mailto:dig@xxxxxxxxxxx> <mailto:dig@xxxxxxxxxxx>> > > *Sent:* Monday, January 26, 2015 5:39 AM > > *To:* Yuri Voinov > > *Cc:* squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > *Subject:* Re: Why 3.5.0.4 generates mimicked certs with server IP only when bumping? > > > Thank you Amos, > > Based on your explanation I was able to make bumping work for transparent with no browser errors in 3.5.1 by using the following. If I understand correctly, this is actually whats required to mimic the behavior of pre 3.5 (sslbump server-first all) : > > > acl step1 at_step SslBump1 > > acl step2 at_step SslBump2 > > ssl_bump peek step1 all > > ssl_bump server-first step2 all > > > Hope that helps Yuri or any one else with this issue. > > > PS So far this is working great for eg gmail.com <http://gmail.com> <http://gmail.com> <http://gmail.com> which in previous version would throw browser errors! > > > ----------- > > Daniel I Greenwald > > > > > On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx>> wrote: > > > > How can that be? > > > All HSTS sites cry with 3.5 bump option - they don't like host IP as CN, > > other sites behaviour depending they (and browsers) settings. > > > Is it possible to keep server-first behaviour in 3.5.x ? > > > WBR, Yuri > > > 09.01.2015 16:57, Amos Jeffries пишет: > > > On 9/01/2015 11:45 p.m., Yuri Voinov wrote: > > > > > I have working production 3.4.10 with working ssl bumping. > > > > > Config was the same as working 3.4.10. I've just want to take a > > > > look on new release. > > > > > in squid.documented said, than backward compatibility server-first > > > > and none options for ssl_bump are kept. > > > > > But: > > > > > Neither works with old syntax, nor new. > > > > > Looks like target https hosts not resolved and bump got only IP. > > > > The config values are still accepted, but there is an extra bumping > > > stage now before the SNI is available. > > > > You are wanting to peek at stage 1 (to get the client SNI details) and > > > server-first/splice at stage 2 (using the domain). Otherwise All Squid > > > works with when intercepting are the TCP IPs. > > > > Amos > > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUxm0+AAoJENNXIZxhPexGmocH/A/s1Ly6roeR2bjqQ38qVKpK tg77sdsdA+nreX1xJZR1MXqEtBsVpHB/StesAKz5Qnxs9pD2oqtE7HtNVfzJ+1+J uGjtAUZxXS1A128nTDdg3LlSI+AhRaR6RFzaAkk8U75cG4osphvOx5ksns0OznkF bY7dFZN6veFhKf73S+2DDQ30WLBppmJPUicBTfJ5+kqCs5z66WHikUiDUE2rb9yu Rr9P+YdHONFNnhT1f4YXbpDLS4uV9E83rR60nM88ygIg2J5VzdOmlxRoDpGA6Ko8 TsQJ9FQjfvmUrv5+60sYxoLxdGTIUCAPaeW03ybj/hLos9Mgph/4aWTgKcmG238= =/uNz -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
