On 11/04/2015 2:22 a.m., Ashish Patil wrote: > Hello, > > I am trying to set up Peek and Splice using Squid 3.5.3. I'm facing issues > setting it up for website that have HSTS enabled, like google.com and > twitter.com. Those websites dont just have HSTS enabled. Those two in particular have HTTP/2, SPDY, and WebSockets operating over port 443 as well. > > My squid.conf is: > http_port 3128 intercept > https_port 3129 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl/myCA.pem > acl step3 at_step SslBump3 > acl sslBumpAllowedDstDomain dstdomain google.co.in > ssl_bump peek step3 all > ssl_bump splice sslBumpAllowedDstDomain > ssl_bump bump all What you have configured is to: * splice (tunnel) if the reverse-DNS of 173.194.117.24 == google.co.in. - I doubt this will ever match. Because google reverse-DNS usually names machines from the *.1e100.net domain. NOTE: google.* domains are their public forward-DNS entries from the encrypted URLs. You have to decrypt/bump to see those. * bump everything else. * peek will never happen because the connection was spliced or bumped at step 1. step3 is never reached. > > The output of access.log is: > 1428674512.281 511 192.168.3.31 TCP_MISS/301 634 GET http://google.co.in/ > - ORIGINAL_DST/173.194.117.23 text/html > 1428674512.703 348 192.168.3.31 TCP_MISS/302 1106 GET > http://www.google.co.in/ - ORIGINAL_DST/173.194.117.24 text/html Two HTTP requests were intercepted, using port 3128 by the looks of your config. > 1428674512.706 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443 > - HIER_NONE/- - > 1428674512.711 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443 > - HIER_NONE/- - > 1428674515.883 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 > - HIER_NONE/- - > 1428674515.956 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 > - HIER_NONE/- - > 1428674515.965 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 > - HIER_NONE/- - > 1428674516.006 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 > - HIER_NONE/- - > 1428674526.310 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 > - HIER_NONE/- - > 1428674526.327 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 > - HIER_NONE/- - > 1428674526.335 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 > - HIER_NONE/- - > 1428674526.411 0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 > - HIER_NONE/- - 10 other connections were bumped or spliced. Your log does not continue long enough to say what was in them, so maybe spliced or they just took >14 seconds to first request completion. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
