On 06/12/17 21:07, G~D~Lunatic wrote:
my squid is a transparent proxy. and the problem is that i can't access
the svn server.
the access.log shows that
1512545348.844 380 192.168.51.15 TAG_NONE/200 0 CONNECT
192.168.52.6:443 - ORIGINAL_DST/192.168.52.6 -
1512545348.920 0 192.168.51.15 TAG_NONE/503 4324 OPTIONS
https://192.168.52.6/svn/WATMdev/trunk/development/third_period/icapServer
- HIER_NONE/- text/html
but when i use splice step . the access is normal. so i want to know
what's the problem.
You will have to check the 503 that Squid is delivering there.
There does not appear to be any server name known, which might have
something to do with it. Its not easy to generate a proper server
certificate without a server name.
Here is my configure
https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/ssl_cert/myCA.pem
key=/usr/local/squid/ssl_cert/myCA.pem options=NO_SSLv3,NO_SSLv2
It may have something to with these restrictions against SSLv2 and v3.
Do you have anything similar on the sslproxy_* options?
acl broken_sites ssl::server_name matchweb.sports.qq.com
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump splice broken_sites
#ssl_bump splice all
ssl_bump stare ssl_step1
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Limitations>
The splice above is likely not possible to be done with the step1 or
step2 data after this stare happens.
Note that is a *maybe*. You will have to check the traffic, the error
messages etc to know for sure what is going on.
ssl_bump bump ssl_step2
ssl_bump terminate ssl_step3
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
