|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In theory. I don't see any 3.5.x bump working yet. In 3.4.x bumping not chunked to stages and only IP-based dst acls will working. 27.01.2015 1:54, Daniel Greenwald пишет: > hmm acc to how I read this page: http://wiki.squid-cache.org/Features/SslPeekAndSplice > The following *should* work, however in my test it bumps all and does not splice. > Yuri- I believe, the domain name should be available at step2 after peeking in step1. > Someone correct me? > > > acl domains_nobump dstdomain "/etc/squid/domains_nobump.acl" > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > ssl_bump splice domains_nobump > ssl_bump peek step1 all > ssl_bump bump step2 all > > > ----------- > Daniel I Greenwald > > > > On Mon, Jan 26, 2015 at 12:53 PM, Yuri Voinov <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>> wrote: > > > You can't use dstdomain ACL for disable bumping. > > Only dst with IP's. > > You don't know site FQDN before bump. :) > > 26.01.2015 23:48, Josep Borrell пишет: > > > Hi all, > > > > > Working on squid 3.5.1 with HTTPS interception. > > > Trying to make a peek/splice configuration to work and avoid bank bumping. > > > Until now bumping is working fine but can’t avoid to bump sites on acl. All are bumped. > > > Can anybody share a working configuration or take a look at mine to find why is not working. > > > > > Thanks > > > > > Josep > > > > > Squid.conf: > > > > > #HTTPS (SSL) trafic interception options > > > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB > > > sslcrtd_children 8 startup=1 idle=1 > > > > > acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl" > > > acl step1 at_step SSLBump1 > > > acl step2 at_step SSLBump2 > > > acl step3 at_step SSLBump3 > > > > > ssl_bump peek step1 all > > > ssl_bump splice step2 disable-ssl-bump > > > ssl_bump stare step2 all > > > ssl_bump splice step3 disable-ssl-bump > > > ssl_bump bump step3 all > > > > > http_access allow all > > > > > http_port 3128 > > > http_port 8080 intercept > > > https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem > > > > > forward_max_tries 25 > > > cache_mem 2 GB > > > maximum_object_size_in_memory 25 MB > > > maximum_object_size 1 GB > > > > > visible_hostname squid-v2 > > > > > workers 3 > > > > > coredump_dir /var/spool/squid3 > > > cache_replacement_policy heap LFUDA > > > cache_dir rock /var/spool/squid3/cache1 4000 max-size=32000 > > > cache_dir rock /var/spool/squid3/cache2 10000 > > > > > refresh_pattern ^ftp: 1440 20% 10080 > > > refresh_pattern ^gopher: 1440 0% 10080 > > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > > refresh_pattern . 0 80% 10080 > > > > > # FortiGate interface of wccp > > > wccp2_router 192.168.111.1 > > > # wccp version 2 configuration > > > wccp2_service standard 90 > > > # tunneling method GRE for forward traffic > > > wccp2_forwarding_method gre > > > # tunneling method GRE for return traffic > > > wccp2_return_method gre > > > # which interface to use for WCCP (0.0.0.0 determines the interface from routing) > > > wccp2_address 0.0.0.0 > > > > > /etc/squid3/no-ssl-bump.acl file: > > > .bancsabadell.com <http://bancsabadell.com> > > > .lacaixa.com <http://lacaixa.com> > > > > > > > > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > http://lists.squid-cache.org/listinfo/squid-users > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > http://lists.squid-cache.org/listinfo/squid-users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUxpxMAAoJENNXIZxhPexG43IH/Rk6elTzB7xFtG7wNx+juAHC 9MdVKxR6QFnlBWn/A6KNWZK1vNCv6+N3n2RPD6OUCPiLrEQIA2h20BceEjMYkM1A Fw6Gk+ImowMJ2K6H5+X5MKFwvOLsaKtO8Tm4b299+42Xkvg2oFxFO0BeX8GJaWAm aq4NsUN6pzJK51CRTKe5ZwGpJ2kN0rtgDaILAV1shX3jnWnrWJMV41ZJGLtWEnDX pZ45unu1qjVDOs6ibaFDDX6ehWnfXh/WhLq0TwWPu0AaoCn28Sid0Y3V/4ShKFpH EP2Jgs10Oyi7/Ph7o4RtFGONUNhVGrl2QdftM+MOZPsCvRIrYF4pff5gjd0R8EU= =Xdb5 -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
