On 09/19/2015 10:19 AM, Marek Serafin wrote: >>> acl nobumpSites ssl::server_name "/etc/squid3/allowed_SSL_sites.txt" >>> ssl_bump peek step1 >>> ssl_bump splice step2 nobumpSites >>> ssl_bump bump all >> I do not see the reason for the "step2" ACL in the above. Do you? > it should be either "ssl_bump splice nobumpSites" Yes, that version makes sense to me if you want to splice based on client-provided info such as SNI (and not based on any server-provided info). > or peek at step 2 and > splice it at step 3, right? (depending on how deep we want to check) e.g: > > ssl_bump peek step1 all > ssl_bump peek step2 nobumpSites > ssl_bump splice step3 nobumpSites > ssl_bump bump all Writing "all" after any other ACL should not be needed. It only wastes CPU cycles (Squid currently does not optimize this case). In recent Squids, writing "step2" in "peek step2" _after_ "peek step1" is not needed: "peek step1" will always match during step1 so the second peek rule will not get executed during step1. No "peek" rule can match during step3. Thus, the second peek rule will be automatically restricted to step2. If you combine the above, you get: ssl_bump peek step1 ssl_bump peek nobumpSites ssl_bump splice step3 nobumpSites ssl_bump bump all The above can be simplified further because if the transaction does not match nobumpSites at step2, then the last rule will match and the transaction will be bumped. Thus, only nobumpSites transactions will get to step3 and we can remove the nobumpSites restriction from that step (besides, it would be too late to bump at step3 anyway): ssl_bump peek step1 ssl_bump peek nobumpSites ssl_bump splice step3 ssl_bump bump all Furthermore, _if_ you do not need the side-effects (e.g., server certificate validation) of getting to step3 for nobumpSites, then you may splice during step2: ssl_bump peek step1 ssl_bump splice nobumpSites ssl_bump bump all which is actually the same as the other configuration you have considered!.. > I got it! I was thinking all the time that action taken at step 1 and > step 2 (peeking or staring) is common to all connections. That's why I > considered peeking at step 2 as useless because if server_name will not > match the whitelist (majority of webpages) it would be impossible to > bump the connection. And that are separate rules!!! like this: > > ## peeking at first step is mostly/always good idea (to get the SNI) > ssl_bump peek step1 all > > # we want to check deeply what we're gonna splice > ssl_bump peek step2 nobumpSites > ssl_bump splice step3 nobumpSites > > ### we're bumping the rest. Fake cert will be generated > ### based on server's cert (that's why we want to bump at step 3) > ssl_bump stare step2 all > ssl_bump bump step3 all > > > Does it make some sense? Yes, but it can be simplified using reasoning similar to the one I provided above. Cheers, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users