On 09/26/2018 11:40 AM, Julian Perconti wrote: >> It is impossible for any transaction to be spliced at step3 with this >> configuration. Whether the transaction matches or does not match >> noBumpSites at any given step is irrelevant for this statement. > > OK: In this configuration it is impossible any kind of splice at step3; but not for step2. Yes, your configuration makes splicing possible at step2 (and only at step2). > Strictly speaking final actions (and maybe any action) do not depend > on the acl, let's say it is a natural function/behavior of Squid > beyond any acl. Correct. > However, when a final action is present in a rule and that rule > contains an ACL, the final action will apply to that ACL. "apply to ACL" does not make sense. ACLs of a [final] action rule affect when the final action is applied. They are a necessary (but not sufficient) preconditions for applying the action. >> An action presence in the rules does not, on its own, stop Squid from >> processing lower rules. *Applying* a final action does. > So, why squid process the last rule which stare at step 2? He already > applied the splice to the ACL sites. For your configuration: * If Squid applied the splice rule, then it will ignore the stare rule. * If Squid reached but did _not_ apply the splice rule, then it will apply the stare rule instead. FWIW, I do not understand why you do not seem to understand this fairly straightforward algorithm so I cannot explain it better. I can correct your statements, but I do not know _why_ you keep making statements that need correction. We are running in circles. It could be just a language barrier. > So going back to current config: > > ssl_bump peek step1 > ssl_bump splice noBumpSites > ssl_bump stare step2 > Due to I think that: the splice action happens at step2 (more > checks?), and not at step 1 (less checks); Correct. > This is the config the one of best fit to my necessities. Glad you found what you were looking for. This is minor, but replacing "step2" in the last/stare rule with "all" would be slightly better because "all" is simpler and should be faster to compute than "step2". This minor simplification/optimization will not change the overall meaning of the configuration. I added a similar configuration example to Squid wiki at https://wiki.squid-cache.org/Features/SslPeekAndSplice HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
