On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote: On 26/11/17 00:52, James Lay wrote:On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:Doing the splice check before the peek should do that. First one of the server_names data sources to match will then splice and non-matches fall through to either peek or terminate if no more peeking possible. AmosOn 25/11/17 08:30, James Lay wrote:Thanks Amos...do you have a suggestion for changing this to match one or the other instead of both?Topic says it...this setup has been working well for a long time, but now there are some sites that are failing the TLS handshake. Here's my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports http_access allow SSL_ports http_access allow allowed_http_sites http_access deny all ssl_bump peek all acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice allowed_https_sites ssl_bump terminate allBecause you have "peek all" being performed the transaction MUST pass your regex patterns with both TLS SNI from the client *and* the server certificate SubjectName values. Either one not matching will perform that "terminate all" on the TLS handshake. Perfect..I've modded my lines with: acl broken_https_sites ssl::server_name_regex "/opt/etc/squid/broken_url.txt" ssl_bump splice broken_https_sites ssl_bump peek all acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice allowed_https_sites ssl_bump terminate all Hopefully that fixes these up. Another site besides the the one this thread is fbcdn.net. Again, these DID work, but something within the last month has changed...guessing Facebook and Elder Scrolls Online have added additional TLS security. Thanks as always Amos. James |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users