On 04/21/2016 01:59 PM, Odhiambo Washington wrote: > On 21 April 2016 at 22:04, Amos Jeffries wrote: > > On 22/04/2016 6:20 a.m., Odhiambo Washington wrote: > > I have now changed to *configurations suggested specifically for your use > > case, on this email thread* :) > > acl no_ssl_interception ssl::server_name > > "/usr/local/etc/squid/ssl_bump_broken_sites.txt" > > ssl_bump splice no_ssl_interception > > ssl_bump stare all > > ssl_bump bump all > No the "stare" being done will prevent splice and you will see breakage > or unexpected things again. > You have to replace 'stare' with 'peek' AND replace 'bump' with > 'splice'. > Like below??? > acl no_ssl_interception ssl::server_name > "/usr/local/etc/squid/ssl_bump_broken_sites.txt" > ssl_bump splice no_ssl_interception > ssl_bump peek all > ssl_bump splice all Logging aside, your latest random configuration is equivalent to ssl_bump splice all which means you are better off not intercepting SSL at all, which brings us back to the old question: What do you want Squid to do? If you want Squid to not intrude except when terminating prohibited traffic, then start with this sketch: ssl_bump terminate prohibited_traffic ssl_bump peek all ssl_bump splice all If you want Squid to intrude (where possible) and block prohibited traffic, then install your CA certificates on all user devices and start with this sketch: ssl_bump splice things_that_are_impossible_to_bump ssl_bump stare all ssl_bump bump all http_access deny prohibited_traffic Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
