On 11/17/2015 02:25 PM, Bruce Markey wrote: > Looking at the squid docs for peek and splice > ( http://wiki.squid-cache.org/Features/SslPeekAndSplice ). > > # Do no harm: > # Splice indeterminate traffic. > ssl_bump splice serverIsBank > ssl_bump bump haveServerName > ssl_bump peek all > ssl_bump splice all > So my understanding of this. > > splice just passes through. > then we bump everything else ? > then peek > and finally splice all? I see very little correlation between the above configuration and your narrative describing it. Either I am completely misinterpreting your narrative (especially the word "then") or you need to [re]read what each action does, which actions are final, and how ssl_bump lines are evaluated. > Must you bump before peek? I assume so but I'm not sure. No ssl_bump action can happen after a bump rule matches, so "bump before X" does not make sense for any action X. Again, there appears to be some fundamental misunderstanding here. It is highly unlikely that one can understand how SslBump works by reading configuration examples alone, unfortunately. If you have not already, please do read the rest of the wiki page and http://www.squid-cache.org/Versions/v4/cfgman/ssl_bump.html Finally, please note that the wiki example assumes that the serverIsBank ACL mismatches when Squid does not yet know the server name. That assumption is very important in interpreting the sample configurations correctly. Many folks cannot write their ssl_bump rules this way because their ACLs are not that convenient and reliable. YMMV. Alex. > On Tue, Nov 17, 2015 at 3:33 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx > <mailto:squid3@xxxxxxxxxxxxx>> wrote: > > On 18/11/2015 9:24 a.m., Bruce Markey wrote: > > Amos, > > > > I knew something wasn't right. > > > > Ok then I'm going to start there. I had a heck of a time getting > > squidguard to even work due to its reliance on old berkely db packages, I'd > > be happy to see it go. > > > > So that being said. I'm going to lose squidguard. Upgrade squid to 3.5. > > > > I haven't even looked at the 3.5 stuff. How big of a config change am I > > looking at? That being said, upgrade or start fresh? > > For the ssl_bump lines yes. They operate very differently, with a bit of > a learning curve around the recursive/repeated ssl_bump processing. > > The rest of the config change should be smooth if it was working well > with 3.3. "squid -k parse" can highlight the differences there. > > > > > Thanks again. This is the first definitive answer I've gotten!. > > > > Welcome. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > http://lists.squid-cache.org/listinfo/squid-users > > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
