On 10/11/2016 11:36 AM, Alex Rousskov wrote: > On 10/11/2016 11:09 AM, - - wrote: >> No matter what I try i can't get squid4 to splice certain sites and to >> bump/terminate the rest. My config is as follows: >> >> acl sni_exclusions ssl::server_name .google.com >> acl sni_exclusions ssl::server_name .google.de >> >> acl tcp_level at_step SslBump1 >> acl client_hello_peeked at_step SslBump2 >> ssl_bump peek tcp_level all >> ssl_bump splice client_hello_peeked sni_exclusions >> ssl_bump bump all >> >> if I replace the ssl_bump bump all with ssl_bump terminate all, all sites are >> terminated, if I do a ssl_bump splice all, all https traffic is going through. > > Which implies that your splice rule never matches or the match is > ignored for some reason. AFAICT, ssl::server_name and ssl_server_name_regex are completely broken in v4.0 as far as step1 (and equivalent) matches are concerned. Please try the above trunk patch. It may need more work (and a v3.5 port/investigation) but it fixes the biggest/obvious problems in my tests. Thank you, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
