|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 You can write it easy ;) Please note: 1. AFAIK, splice rule must be preceded by bump rule in your config. 2. You can use ssl::server_name_regex or ssl::server_name for a decision 3. In most cases your users must have your cache CA's when cache cannot splice Config snippet, for example, will looks like this: # SSL bump rules 1 acl step1 at_step SslBump1 acl Splice_Only ssl::server_name_regex -i "/usr/local/squid/etc/google_sites" ssl_bump splice Splice_Only ssl_bump peek step1 ssl_bump bump all Note: This snippet will bump all others, and tunnel Splice_Only acl sites. # SSL bump rules 2 acl step1 at_step SslBump1 ssl_bump peek step1 acl Splice_Only ssl::server_name_regex -i "/usr/local/squid/etc/google_sites" ssl_bump splice Splice_Only ssl_bump bump all Note: This snippet will peek all, splice Splice_Only acl, and bump all others. Amos, Alex, correct me if I somewhere wrong. WBR, Yuri PS. Also note: you must adjust https_port and/or other SSL options for harden your cache's TLS connections to avoid other Chrome security warnings. For example, avoid using SHA1 in your cache's CA, configure EDH ciphers for outgoing _and_ client-to-cache connections, suppress using SSLv2/SSLv3 (but keep in mind: you have _much_ old clients, like IM, which is hardcoded to use SSLv2/SSLv3 and you will got warnings/errors in your cache.log about it). 05.01.16 18:51, Alejandro Martinez пишет: > I all > I'm still lost, can I ask for a minimal working config splicing google.com > sites ? > > I have made some additional checks (blocking QUIC), but with no lunk. > > I'm thinking creating an external helper that receives via ssl::server_name > and make a decision there, but if there is a chance with a simple text file > would appreciate that. > > Thanks. > > > 2016-01-04 9:52 GMT-03:00 Alejandro Martinez <ajm.martinez@xxxxxxxxx>: > >> Thanks all for your help. >> >> Is there a minimal config example to see splicing correctly Google sites? >> >> It would be very helpful. >> El 04/01/2016 09:28, "Amos Jeffries" <squid3@xxxxxxxxxxxxx> escribió: >> >>> On 4/01/2016 1:16 p.m., Alejandro Martinez wrote: >>>> Thanks again Yuri. >>>> >>>> I have tried blocking udp protocol on port 80 and 443 but without luck. >>> >>> That does not help resolve the errors Chrome is displaying when using >>> the proxy. It does help resolve the errors that happen by Chrome trying >>> to bypass the proxy by using the proprietary QUIC protocol. >>> >>>> >>>> Is it possible to make google sites work in transparent mode without >>>> bumping ? only splicing ? >>>> >>> >>> Of course. That is the purpose of splice. Bumping is optional. >>> >>> Amos >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >>> >> > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWi9nXAAoJENNXIZxhPexG/FsH/21aB4HVW1VEBlHBpebgDllX qNrMndyVNohyne9vloFOafl5Vs0IqhVQVMU1AJrLvXXNhTzRa2vSrud/xgi62AZ4 3C7V6OI+m+qfPXyjMjuyVZm2hkofUXBKn518ZzyjiV89Qzlr24FQv41v8j7ebYZo Jn3YLk7FsSnZ/2q8zSERsXARr9OxBW6JJqlHDBF4FbUrDSRs67UAvJyrcDccNB1i b539GdUHGGljftY2O1xpgSHBUelylWTWtfgE1qYKfTYoXqb3yhI3VkBx3+0AgCNY 3VJIwn5TU+j98rz3r7sd7re8KPtssY5jukVo1drLkSm9w1HOxL5kiLJ/MP+MnEg= =S2qK -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
