On 10/11/2016 11:09 AM, - - wrote: > currently I try to configure peek-and-splice on Centos7 and squid4. I have a > running config for Centos6.6 and squid 3.5.18. It might be useful to confirm that v4.0 does not work on Centos6.6 either (so that there is only one variable -- the Squid version). > No matter what I try i can't get squid4 to splice certain sites and to > bump/terminate the rest. My config is as follows: > > acl sni_exclusions ssl::server_name .google.com > acl sni_exclusions ssl::server_name .google.de > > acl tcp_level at_step SslBump1 > acl client_hello_peeked at_step SslBump2 > ssl_bump peek tcp_level all > ssl_bump splice client_hello_peeked sni_exclusions > ssl_bump bump all > > if I replace the ssl_bump bump all with ssl_bump terminate all, all sites are > terminated, if I do a ssl_bump splice all, all https traffic is going through. Which implies that your splice rule never matches or the match is ignored for some reason. > if I accept > the self generated certificate access the webpage is allowed. If i do the same > with a site not allowed i'll get redirected to the deny_info page after > accepting the certificate. This is consistent with the above theory. The logs you have posted do not contain ACL evaluation and post-evaluation details so it is difficult to say why splice does not work. Please post more related lines from an ALL,9 log. For example, something like the following might work: $ egrep -200 -i 'acl|google|-----|bump|sni' cache.log Compress the results if needed. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
