On 11/10/2015 07:05 AM, Stefan Kutzke wrote: > My assumption is that I have to use in Squid's config: > acl MYSITE ssl:server_name .mydomain.com > ssl_bump bump MYSITE > ssl_bump splice all > This results in tunneling all https traffic, nothing will be bumped and > cached. Yes, probably because MYSITE (ssl::server_name) often needs SNI and SNI is not available during step1 when MYSITE is evaluated in your config. In other words, your config is equivalent to ssl_bump splice all unless reverse DNS works perfectly well. > I'm a little bit confused about the documentation: > Under the headline "Processing steps": > *Step 2:* > 1. Get TLS clientHello info, including *SNI* where available. > Under the headline "Actions": > peek/stare Receive client *SNI (step1)*, ... I know it is confusing, but I cannot find a better way to explain this in brief documentation without pictures. Improvements are welcomed. The key here is that ssl_bump rules are evaluated at the end of a step and usually allow Squid to do something at the beginning of the next step. For example, during step1, Squid does not have SNI. If a peek rule matches during step1, then Squid proceeds to step2. At the beginning of step2, Squid gets SNI. Thus, a step1 peek rule controls whether Squid will get SNI (during step2). > Is it possible to achieve my goal with Squid in transparent mode? I should be possible, but I do not know whether anybody has done exactly that so there could be some minor bugs along the way. You need configuration suggested by Sebastian and the latest Squid you can build. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users