On 2/17/20 9:56 AM, AndyBinder@xxxxxx wrote: > i think i am doing something wrong.. What exactly is not working now? You have not disclosed what new problem you are facing, and Amos has given you the correct answer to your original question. > In brackets there are the changes i have made. > > Sample snippet from my squid.conf: > > http_port 127.0.0.1:3128 name=transparent intercept ssl-bump .. > https_port 127.0.0.1:3129 name=transparent intercept ssl-bump ... I have not checked, but I would not be surprised if some Squid parts assume (or will assume) that port name is unique. I recommend avoiding using the same name=value for two *_ports. > http_port 192.168.1.1:3128 ssl-bump ... > tls_outgoing_options ... > acl bump_nobumpsites ssl::server_name ... > --> (acl bump_nobumpport myportname transparent) > > ssl_bump peek bump_step1 all > ssl_bump peek bump_step2 bump_nobumpsites > --> (ssl_bump peek bump_step2 bump_nobumpport) > ssl_bump splice bump_step3 bump_nobumpsites > --> (ssl_bump splice bump_step3 bump_nobumpport) > ssl_bump stare bump_step2 > ssl_bump bump bump_step3 > sslproxy_cert_error deny all I will reorder/polish your rules slightly for clarity sake: ssl_bump peek bump_step1 ssl_bump peek bump_step2 bump_nobumpsites ssl_bump peek bump_step2 bump_nobumpport ssl_bump stare bump_step2 ssl_bump splice bump_step3 bump_nobumpsites ssl_bump splice bump_step3 bump_nobumpport ssl_bump bump bump_step3 It looks like you are trying to make a splice-or-bump decision at step3. That is impossible because staring at step2 makes splicing (at step 3) impossible and, similarly, peeking at step2 makes bumping (at step3) impossible. Squid skips impossible actions (and provides step2-based defaults) so your configuration is, essentially: # step1 ssl_bump peek bump_step1 # step2 ssl_bump peek bump_step2 bump_nobumpport ssl_bump peek bump_step2 bump_nobumpsites ssl_bump stare all # step3 ssl_bump splice all ssl_bump bump all In other words, you were trying to make a splice-or-bump decision at step3, but modern Squid has to (and does) make that decision at step2. If you are not peeking at step2 for some useful side effect, then you can simplify further: # step1 ssl_bump peek bump_step1 # step2 ssl_bump splice bump_step2 bump_nobumpport ssl_bump splice bump_step2 bump_nobumpsites ssl_bump stare all # step3 ssl_bump bump all Please note that since I do not know what you are trying to accomplish and what does not work, I cannot say why the above simplified configuration does not do what you want it to do. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
