On 1/2/21 3:08 PM, ngtech1ltd@xxxxxxxxx wrote: > I am trying to configure 5.0.4 with sslbump to bump only a set of domains. > * Should I bump all connections with exceptions? > * Should I bump non else then the exceptions? > * Based on server_name regex and/or server_name domains Policy-wise, you should bump as little as possible. The rest depends on your local specifics/goals. As for implementing any policy, here is a rule of thumb: Workarounds and exceptions aside, make the splicing-vs-bumping _decision_ during step2: stare if the transaction matches your bumping policy, and peek otherwise. Trigger the final splice/bump action during step3 based on the decision made during step2 (modern Squids will do that for you by default). Rationale: * It is not possible to properly bump at step1 -- Squid usually does not have enough details (e.g., SNI) to do it properly so early. Thus, it is usually best to just peek at step1. * It is not possible to make the splicing-vs-bumping _decision_ during step3 -- Squid has to know your intent at the end of step2 because the TLS Hello Squid sends at the beginning of step3 depends on that intent. Thus, the decision has to be made during the only remaining step -- step2. * Bumping may work better when Squid mimics the server certificate and that can only happen during step3. Splicing works well at earlier steps, but splicing later gives Squid access to the TLS server Hello details that can be useful for logging/triage. Thus, it may be a good idea to delay the splice/bump action until step3. Please keep in mind that the step3 action itself is fully determined by your decision during step2. > I tried to understand why squid is bumping despite the explicit splice > action. Squid bumps either when a bump rule matches OR when Squid decides to serve an error response to the client. The latter often happens when your http_access rules deny CONNECT requests, especially during step1. Examine your http_access rules and study the response to the first bumped request to confirm that it is a Squid error page. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
