Re: Peek and Splice for websites using HSTS

Yuri Voinov <yvoinov@xxxxxxxxx> · Fri, 10 Apr 2015 23:05:09 +0600



    -----BEGIN PGP SIGNED MESSAGE----- 

    Hash: SHA256 

     
    BTW, man, splice in most cases means "no bump".

    
    Why do you expect that will happen bumping, if your URL is in splice
    ACL?

    
    10.04.15 20:22, Ashish Patil пишет:

    > Hello,

      >

      > I am trying to set up Peek and Splice using Squid 3.5.3. I'm
      facing issues

      > setting it up for website that have HSTS enabled, like
      google.com and

      > twitter.com.

      >

      > My squid.conf is:

      > http_port 3128 intercept

      > https_port 3129 intercept ssl-bump
      generate-host-certificates=on

      > dynamic_cert_mem_cache_size=4MB
      cert=/usr/local/squid/ssl/myCA.pem

      > acl step3 at_step SslBump3

      > acl sslBumpAllowedDstDomain dstdomain google.co.in

      > ssl_bump peek step3 all

      > ssl_bump splice sslBumpAllowedDstDomain

      > ssl_bump bump all

      >

      >

      > The output of access.log is:

      > 1428674512.281    511 192.168.3.31 TCP_MISS/301 634 GET
      http://google.co.in/

      > - ORIGINAL_DST/173.194.117.23 text/html

      > 1428674512.703    348 192.168.3.31 TCP_MISS/302 1106 GET

      > http://www.google.co.in/ - ORIGINAL_DST/173.194.117.24
      text/html

      > 1428674512.706      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.24:443

      > - HIER_NONE/- -

      > 1428674512.711      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.24:443

      > - HIER_NONE/- -

      > 1428674515.883      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.22:443

      > - HIER_NONE/- -

      > 1428674515.956      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.22:443

      > - HIER_NONE/- -

      > 1428674515.965      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.22:443

      > - HIER_NONE/- -

      > 1428674516.006      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.22:443

      > - HIER_NONE/- -

      > 1428674526.310      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.22:443

      > - HIER_NONE/- -

      > 1428674526.327      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.22:443

      > - HIER_NONE/- -

      > 1428674526.335      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.22:443

      > - HIER_NONE/- -

      > 1428674526.411      0 192.168.3.31 TAG_NONE/200 0 CONNECT
      173.194.117.22:443

      > - HIER_NONE/- -

      >

      >

      > Any input would be welcome.

      >

      >

      >

      > _______________________________________________

      > squid-users mailing list

      > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > http://lists.squid-cache.org/listinfo/squid-users

    
    -----BEGIN PGP SIGNATURE-----


    Version: GnuPG v2


    iQEcBAEBCAAGBQJVKALFAAoJENNXIZxhPexGAwAH/jTH4eX6W1RDp12zwGC4Fu8P


    68eLUveFGb+pjtlML/fvBBmihp6QOi1sU/CswbqaowFw/A/dXLmZhdo/nZI474up


    iYpiqZZ2nH2muvXjSU746p6LcjGAv0bHqXkXHQpDqfXnob7v1wJdNYVnthWw+t3Y


    sCxBlTetuvyTO7iCYGZ7bB9oVspb7q4Vd4t7T079KCT2CkuyBOZrcB7IWAqigYoZ


    BnJef33wZ45YCTzRmsbVpUZMZgFsNCtkTuVAXOfBewlwBORxoZ/sIXsecDTKRrJ6


    0QntexRv4f+CBZiXJJvFdyA4U57yw5FHDgLcEFIPdfhW7xnRPxrgU3t9WXclDkc=


    =mGMV


    -----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users