> > Example: > > > > ssl_bump splice noBumpSites # this will be totally ignored by Squid if a > stare rule precedes this. > > No, this is incorrect. There are many cases were a previous stare rule will not > have the effect you state it will. For example: > > # Squid may splice at step2 despite the preceding stare rule > # because staring at step1 does not preclude splicing. > > ssl_bump stare step1 > ssl_bump splice noBumpSites Well yes, I think You are right; but my example (or what I wanted to mean) was: -Maybe You have post that to give an example about how that rule could probably, not match, I don't know- ssl_bump stare noBumpSites (at this line your example said: ssl_bump stare step1) ssl_bump splice noBumpSites ...And here appears a "key-question": ssl_bump stare noBumpSites # This is the first line of SslBumps ruleset. So, when squid reaches this first rule and line (there is no explicit step) ...does Squid make a "bucle of steps" only along the first line and go to next line only when the rule stop being applicable/matchable? If the answer of my question is: "Yes" then the second line has not any effect because, I guess that squid will do a bump in more-or-less this way: ssl_bump stare noBumpSites ... is the same as: ssl_bump stare step1 noBumpSites ssl_bump stare step2 noBumpSites # Here is where he second line stops making sense ssl_bump bump step3 noBumpSites # Finally bump due to the previous step Thus: ssl_bump splice noBumpSites # will never matchs. Going a bit to the past, Amos explained the following when I asked: >> ...So that means that squid processes the SslBump directives: >> 1: maybe more than one time in a single request...? >> >Yes. Up to 3 times. A peek or splice action causes another check later. Well, Amos never mentioned a "stare" action here, so I dont know I a "stare" applies to this too. And even worse, maybe I did not understand him correctly. > # Squid will splice at step1 despite the preceding stare rule > # because the preceding stare rule never matches > ssl_bump stare !all > ssl_bump splice all And this example is more obvious than the first one. It is like that previous line would not exists. (...) > > Does not the splice at step1 and step2 action avoid this? I mean if > > squid act as a -TCP forward proxy only- for noBumpSites. "Don't touch > > TLS bytes" > > I am not sure what you mean by "this" exactly, but splicing (at any > step) does not guarantee the lack of errors. Ok, but is Squid the culprit of those error? He is being a passive observer of that TLS traffic. Here, I am talking about the idea of (explicitly) splice at step1 and then at step2 of a white list of sites. Question based on words below: >>>* If successful, ssl_bump peek and splice actions do not alter TLS >>>bytes. Peeking and/or splicing Squid can be viewed as a TCP proxy as far >>>as TLS bytes forwarding is concerned. The client and the origin server >>>will see the same TLS bytes they would have seen if Squid was not there. >>> >>>* In this scope, various errors are usually equivalent to applying the >>>"bump" action. >The earlier you tell Squid to > splice the connections, the fewer checks Squid will do, decreasing the > probability of an error. That is the idea with the noBumpSites ACL, the least amount of errors possible. Lets say: "Let's remove as much responsibility as possible to Squid about what happens with really/special sensitive sites, If something goes wrong" Talking with Squid/In other words: "Squid, do a *full* bump to msn.com and youtube.com too; but please *never do not nothing neither touch nothing* with bankaust.com.au (Some like that) > Errors lead to bumping the client connection (to > deliver the error message). What do You mean about those errors? Thank You _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
