Hey Alex,
actually its reverse. If i remove !serverIsws somehow websockets will not work. conversion does not happen and i get 400 bad request. whereas if i put !serverIsws then request is converted and status code is 101
acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump !serverIsws all
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump !serverIsws all
So above works but if i remove serverIsws then it will not work at all i.e.
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump all
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump all
above does not work
This is actually surprising for me too :) I did lot of tests with other websocket apps used by my network and when i remove rules from bump it will not work. May be amos could tell us something that we don't understand about acls.
On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 12/20/2016 02:42 AM, Hardik Dangar wrote:
> Following changes in config works and whatsapp starts working,
>
> acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice serverIsws
> ssl_bump bump !serverIsws all
You do not need the "!serverIsws" part because if serverIsws matches,
then the splice rule wins, and Squid does not reach the bump rule. This
configuration is sufficient:
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump all
In theory, adding "!serverIsws" does not hurt. However, negating complex
ACLs is tricky/dangerous and should be avoided when possible.
Alex.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
