>After a splice rule is applied, SslBump is over. No more rules are >checked. No more loops are iterated. Squid simply "exits" the SslBump >feature (and becomes a TCP tunnel). How is that? What about the meaning of the ACL's at step1 when splice? e.g.: There only these two rules for ssl_bump statements: ssl_bump step1 splice sitesAB ssl_bump step1 splice SitesCD I guess that here, Squid has to do 2 loops at outer/main loop to evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL) and see if both match to splice. Probably this example does not make sense: "Why don't use just 1 ACL instead 2"? But it is an example to understand and fix ideas. Are You (perhaps) talking about the examples in the thread and not what happens "in general"? > If noBumpSites matches at step2, then, yes, Squid will splice at step3 > by default. Otherwise, no; Squid will bump at step3 by default. [... ] You mentioned that explanation two times. The question (maybe obvious) is: In which case the "noBumpSites" ACL could have not match? I mean if I tell a Squid: "splice at step1 this.site.net" How that matches can fail? Maybe you refered in the case that a site is just not listed in the ACL. > > ssl_bump splice noBumpSites # This line reachs a splice rule at step1 > > ssl_bump stare > > > Squid is telling to the client: "I will not touch any TLS byte. > > [...] I will do as many checks as possible then You will be connected..." > > The configuration above does not match your summary because the > configuration has a "stare" action that may run at (step1 and) step2 > (and, hence, a possibility of the bump action at step3). Staring at > step2 and bumping (at any step) modify TLS bytes, of course. > > Perhaps your summary only applies to the cases where noBumpSites > matches (either at step1 or at step2), but the summary did not make > that clear. Here borns more ore less the same doubt like above and the final one. > There is a big difference between explaining Squid actions for a > particular transaction and summarizing what a particular configuration > means (for all transactions). Unless noted otherwise, I am focusing on the latter. > > AFAICT, the primary difference between > > ssl_bump peek noBumpSites > ssl_bump stare > > and > > ssl_bump splice noBumpSites > ssl_bump stare > > is that the former requires a noBumpSites match at step2 for the > connections to be spliced. Yes. The condition you say is mandatory but, again: Why that requirement could fail/no-match? Thank You for the patience _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
