Search squid archive

Re: SSL Peek-n-Splice and exclusions by SNI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/03/2015 5:52 p.m., Nathan Hoad wrote:
> Hi folks,
> 
> I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's
> actually possible to exclude requests based on the SNI host and have
> Squid still bump correcty.

It is supposed to work, but there have been troubles. So YMMV.

> I've been trying with this configuration,
> using a simple external acl:
> 
> https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem
> key=/path/to/inspectkey.pem generate-host-certificates=on
> external_acl_type sni ttl=30 concurrency=60 children-max=3
> children-startup=1 %ssl::>sni /usr/libexec/bumphelper
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> acl sslbump_exclusions external sni
> 
> ssl_bump peek step1 all
> ssl_bump splice step2 sslbump_exclusions
<snip>

> 
> So what am I missing? It's very hard to find documentation about this,
> so I might put this up on the wiki as an example once it's sorted.

The big issue here is ssl_bump being a fast-type access check. external
ACL helpers do not work reliably.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux