On 02/12/17 07:05, James Lay wrote:
On 2017-11-29 07:29, Amos Jeffries wrote:
On 28/11/17 03:50, James Lay wrote:
On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote:
Perhaps an alternative is to peek only on step1:
acl step1 at_step SslBump1
ssl_bump peek step1
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all
Hrmm...wouldn't that negate the ability to read the cert on step2?
Yes it would.
In layman's terms I'm thinking:
"peek at step1"
"splice acl allow matched sni's"
"peek at step2"
"splice acl allow'd matched certs"
"terminate the rest"
Would that work Amos?
This is essentially what I suggested at the beginning.
Placing splice action and your ACLs on the first ssl_bump line ensures
that at each step if enough details are known to splice it will
happen.
The second line being "peek all" make peek happen at every step for
which it is possible (step 1 and step 2 - not step 3).
"terminate all" being last makes it happen for "all the rest", aka
step 3 if Squid gets that far without splicing.
The only difference is that my suggested way would also allow splicing
the CONNECT if it happens to be presented with a host name in the
authority-URI. Which cannot happen on your proxy unless your port 3128
happens to be intercepting traffic between clients and another proxy.
Ah...ok so this is my lack of understanding then of peek/splice. Sounds
like this is what I can try:
ssl_bump splice all
ITYM 'peek all' there.
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all
Is that what you're meaning Amos? Thanks again.
James
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users