On 9/03/2015 5:52 p.m., Nathan Hoad wrote: > Hi folks, > > I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's > actually possible to exclude requests based on the SNI host and have > Squid still bump correcty. It is supposed to work, but there have been troubles. So YMMV. > I've been trying with this configuration, > using a simple external acl: > > https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem > key=/path/to/inspectkey.pem generate-host-certificates=on > external_acl_type sni ttl=30 concurrency=60 children-max=3 > children-startup=1 %ssl::>sni /usr/libexec/bumphelper > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > > acl sslbump_exclusions external sni > > ssl_bump peek step1 all > ssl_bump splice step2 sslbump_exclusions <snip> > > So what am I missing? It's very hard to find documentation about this, > so I might put this up on the wiki as an example once it's sorted. The big issue here is ssl_bump being a fast-type access check. external ACL helpers do not work reliably. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
