On 09/21/2018 09:08 AM, Julian Perconti wrote: > ssl_bump peek step1 > ssl_bump splice noBumpSites > ssl_bump stare step2 > # Second rule: > ssl_bump splice noBumpSites > > I think that this rule should implicity match only at step2. I do not know what "implicitly match" means here, but yes, the splice rule may only match at step2 in this configuration: * It cannot match at step1 because the earlier "peek" rule matches at step1. * It is always reached during step2 because no rules above it can match during step2. Whether it matches during step2 depends on whether noBumpSites matches a particular transaction during step2. * It cannot match at step3 because for a splice rule to match at step3 a peek rule has to match at step2, and there is no peek rule that can match at step2 in your configuration. > However as I said above if the splice is the first rule instead the > peek, the squid´s behaviour changes. Naturally. If you place the splice rule first, it may match during step1 as well. If you do not, it cannot. >> After a splice rule is applied, SslBump is over. No more rules are >> checked. No more loops are iterated. Squid simply "exits" the SslBump >> feature (and becomes a TCP tunnel). > Here, probably (not sure) Alex rerefered here to "splice all" rule. I think you are ignoring or misinterpreting the verb "applied". Here, "applied" means Squid has executed the rule action. Not just considered the rule containing that action, but actually ran that action. Applying a rule action implies that the rule ACLs (whatever they were) matched, of course. A rule action is never applied when the rule ACLs do not match. > In that case is clear "splice is a final action" then no more future checks. The notion of a "final" action does not depend on rule ACLs. After Squid applies the "splice" action (in whatever context, for whatever reason), SslBump processing for that transaction is over. Same for "bump" and "terminate" actions. > But in my config next to splice there is an ACL. That is why I asked: "But, doesn't the ACL matters?" in earlier mail. ACLs (and other things) determine which rules match. After a rule matches, then Squid applies its action, and then the notion of a "final action" starts to matter. > Will Squid ignore the last rule? No. The last rule will be applied at step2 whenever noBumpSites mismatches at step2. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
