On 04/20/2016 08:16 AM, Odhiambo Washington wrote: > I even wonder if this config is correct: > > acl ssl_bump_broken_sites dstdomain ... > ssl_bump none ssl_bump_broken_sites > ssl_bump peek step1 > ssl_bump stare step2 > ssl_bump bump all You did not say what you want Squid to do, so it is difficult to say whether the config is correct. However, the following combinations look strange to me: * old "none" and new "peek" actions; use "splice" instead of "none" * sometimes contradictory "peek" and "stare" actions; pick one kind * sometimes contradictory "peek" and "bump" actions; if you intend to bump, use "stare" Also, you may want to use ssl::server_name ACL instead of dstdomain. Remember that Squid may have no domain information until it is too late to splice. Here is a polished config that may or may not do what you want: # Bump aggressively, including discovered-too-late broken_sites: acl ssl_bump_broken_sites ssl::server_name ... ssl_bump splice ssl_bump_broken_sites ssl_bump stare all ssl_bump bump all > I had to import my CA to all devices (as a trusted CA) on > the network so that they don't get the MITM notification. [...] People > don't like intrusive changes. "ssl_bump bump" implies intrusiveness. You need to decide whether bumping connections is important enough to be intrusive. The alternative is passive monitoring/splicing that does not require intrusive changes but gives you less control. Pick your poison. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
