Hi Amos, After digging through debug logs, I noticed this: 2015/03/09 14:40:12.467 | client_side.cc(2902) concurrentRequestQueueFilled: local=74.125.23.95:443 remote=10.3.20.249:40083 FD 11 flags=33 max concurrent requests reached (1) 2015/03/09 14:40:12.467 | client_side.cc(2903) concurrentRequestQueueFilled: local=74.125.23.95:443 remote=10.3.20.249:40083 FD 11 flags=33 deferring new request until one is done 2015/03/09 14:40:12.467 | client_side.cc(4365) httpsSslBumpStep2AccessCheckDone: Failed to start fake CONNECT request for ssl spliced connection: local=74.125.23.95:443 remote=10.3.20.249:40083 FD 11 flags=33 Which sparked my memory about a patch that Christos has for 3.5.3: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13766.patch After applying this patch and rebuilding, everything works now, so that's good. I tried using dstdomain as opposed to an external ACL and it did not work - I suspect this is because dstdomain doesn't cover the SNI server name, but it should be fine with Christos' server_name ACL patch I would expect. If I get time I might try applying that to 3.5.x to see if it covers my use case, but for the time being I'll stick with the external ACL helper. Cheers, Nathan. On 9 March 2015 at 16:06, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 9/03/2015 5:52 p.m., Nathan Hoad wrote: >> Hi folks, >> >> I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's >> actually possible to exclude requests based on the SNI host and have >> Squid still bump correcty. > > It is supposed to work, but there have been troubles. So YMMV. > >> I've been trying with this configuration, >> using a simple external acl: >> >> https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem >> key=/path/to/inspectkey.pem generate-host-certificates=on >> external_acl_type sni ttl=30 concurrency=60 children-max=3 >> children-startup=1 %ssl::>sni /usr/libexec/bumphelper >> >> acl step1 at_step SslBump1 >> acl step2 at_step SslBump2 >> acl step3 at_step SslBump3 >> >> acl sslbump_exclusions external sni >> >> ssl_bump peek step1 all >> ssl_bump splice step2 sslbump_exclusions > <snip> > >> >> So what am I missing? It's very hard to find documentation about this, >> so I might put this up on the wiki as an example once it's sorted. > > The big issue here is ssl_bump being a fast-type access check. external > ACL helpers do not work reliably. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
