I should add this is squid-3.5.27. Thank you.
Topic says it...this setup has been working well for a long time, but now there are some sites that are failing the TLS handshake. Here's my setup:
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports
http_access allow allowed_http_sites
http_access deny all
ssl_bump peek all
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all
sslproxy_cert_error allow all
sslproxy_capath /etc/ssl/certs
sslproxy_flags DONT_VERIFY_PEER
#sslproxy_options ALL
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5
http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE
logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh
access_log syslog:daemon.info mine
refresh_pattern -i (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /opt/var
For example, the file http_url.txt contains:
account\.elderscrollsonline\.com
\.elderscrollsonline\.com
elderscrollsonline\.com
Is there anything I can do to continue using squid with more and more sites using http2? Pcap enclosed..thank you.
James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users