Am Dienstag, 18. Februar 2020, 19:42:30 CET schrieb Alex Rousskov: > On 2/17/20 9:56 AM, AndyBinder@xxxxxx wrote: > > i think i am doing something wrong.. > > What exactly is not working now? You have not disclosed what new problem > you are facing, and Amos has given you the correct answer to your > original question. > > > In brackets there are the changes i have made. > > > > Sample snippet from my squid.conf: > > http_port 127.0.0.1:3128 name=transparent intercept ssl-bump .. > > https_port 127.0.0.1:3129 name=transparent intercept ssl-bump ... > > I have not checked, but I would not be surprised if some Squid parts > assume (or will assume) that port name is unique. I recommend avoiding > using the same name=value for two *_ports. > > > http_port 192.168.1.1:3128 ssl-bump ... > > > > tls_outgoing_options ... > > > > acl bump_nobumpsites ssl::server_name ... > > > > --> (acl bump_nobumpport myportname transparent) > > > > ssl_bump peek bump_step1 all > > ssl_bump peek bump_step2 bump_nobumpsites > > > > --> (ssl_bump peek bump_step2 bump_nobumpport) > > > > ssl_bump splice bump_step3 bump_nobumpsites > > > > --> (ssl_bump splice bump_step3 bump_nobumpport) > > > > ssl_bump stare bump_step2 > > ssl_bump bump bump_step3 > > > > sslproxy_cert_error deny all > > I will reorder/polish your rules slightly for clarity sake: > > ssl_bump peek bump_step1 > ssl_bump peek bump_step2 bump_nobumpsites > ssl_bump peek bump_step2 bump_nobumpport > ssl_bump stare bump_step2 > ssl_bump splice bump_step3 bump_nobumpsites > ssl_bump splice bump_step3 bump_nobumpport > ssl_bump bump bump_step3 > > It looks like you are trying to make a splice-or-bump decision at step3. > That is impossible because staring at step2 makes splicing (at step 3) > impossible and, similarly, peeking at step2 makes bumping (at step3) > impossible. Squid skips impossible actions (and provides step2-based > defaults) so your configuration is, essentially: > > # step1 > ssl_bump peek bump_step1 > > # step2 > ssl_bump peek bump_step2 bump_nobumpport > ssl_bump peek bump_step2 bump_nobumpsites > ssl_bump stare all > > # step3 > ssl_bump splice all > ssl_bump bump all > > In other words, you were trying to make a splice-or-bump decision at > step3, but modern Squid has to (and does) make that decision at step2. > > > If you are not peeking at step2 for some useful side effect, then you > can simplify further: > > # step1 > ssl_bump peek bump_step1 > > # step2 > ssl_bump splice bump_step2 bump_nobumpport > ssl_bump splice bump_step2 bump_nobumpsites > ssl_bump stare all > > # step3 > ssl_bump bump all > > > Please note that since I do not know what you are trying to accomplish > and what does not work, I cannot say why the above simplified > configuration does not do what you want it to do. > > > HTH, > > Alex. Thank You both for your answers and explanations! Okay, i will try to explain my original intention. Currently i have 2 working bumping configurations (Squid 4.9): 1. Splice everything (working for blacklisting http and https sites without Bumping) ssl_bump peek bump_step1 all ssl_bump splice all ssl_bump peek bump_step2 all ssl_bump splice bump_step3 all ssl_bump bump 2. Bump everything except bump_nobumpsites ssl_bump peek bump_step1 all ssl_bump peek bump_step2 bump_nobumpsites ssl_bump splice bump_step3 bump_nobumpsites ssl_bump stare bump_step2 ssl_bump bump bump_step3 Now i try to combine both of them into one configuration and want to decide weather bumping or splicing via the nametag of the port (=acl bump_nobumpport). Final wanted situation in words: Bump everything except bump_nobumpsites and bump_nobumpports, but the SNI must be visible to match agains blacklisted urls. @Alex: I tried your configuration examples but the blacklisted urls won't match on https sites. Thanks Andy _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
