On 02/01/2016 09:55 AM, Tom Tom wrote: > I'm still confused about the correct apply of the "at_step"-rules. > Does an action (ex. bump, peek, stare...) without providing a > step-argument implicit means step1, step2 AND step3? There is no "step argument". The following may help you understand what is going on: 0. There is nothing really special or magical about "step" ACLs or the "all" ACL. They have no side effects. The ACLs themselves do not enable or trigger something. When Squid evaluates ACLs for a given rule, Squid treats all ACLs the same. 1. All ssl_bump rules are considered at each of three bumping steps. 2. Rules with actions that are impossible at the current step are ignored. 3. The action of the first matching ssl_bump rule is applied at the end of the current step. When considering a single ssl_bump rule, Squid simply evaluates all ACLs attached to that rule, one-by-one, according to regular ACL matching rules. 4. If no rules match at a given step, then the bump action is used if you have been staring and the splice action is used otherwise. I am not 100% sure this is an accurate summary of the default behavior, and you should avoid relying on such defaults if possible. > Why does in my example the terminate-action triggers, although I > didn't defined a step? You do not define steps. Squid goes through three hard-coded steps. At each step, Squid applies a single ssl_bump action you have configured. This "stepping" ends when the final action is applied during a step (see above for the algorithm). An ACL is nothing but a [named] condition: "If foo, then declare a match". An ACL itself does not enable any Squid action (there are some ugly exceptions related to authentication but those are outside SslBump scope). Your terminate rule triggers at step N because: i. Some non-final SslBump rule matched at all step(s) prior to N. ii. Each rule above "terminate" was either not applicable at step N or its ACL(s) did not match at step N. iii. The terminate rule ACL(s) matched at step N. Amos has described specific conditions that could result in the terminate action. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
