On 12/08/21 4:06 am, robert k Wild wrote:
Great thanks Amos as always
So shall I leave this ssl bump lines in
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
And delete this one
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
As your right there both the same, I didn't spot that
My understanding is the "no ssl intercept", squid doesn't even bother to
inspect the packets ie man in the middle and just literally passes it
straight to the client
Is that right?
Not quite. Squid still has to receive and look at something to make the
decision to splice.
The "NoSSLIntercept" is just an ACL. Being defined as a ssl:server_name
type it looks at whatever Squid is able to find for a server name
amongst the available data (CONNECT message URI, the client IP's
reverse-DNS, any TLS details seen so far, etc.
So it depends on how many of the SSL-Bump steps have taken place so
far as to what it can match against.
In your case it happens at step1 and maybe step2 (when the peek happened
at step1 instead). When means Squid looks at the TCP connections
client-IP, a CONNECT URI (if any) and maybe the TLS client handshake
plain-text details.
Note this is specific to your *current* configuration. Small changes
to the order of ssl_bump lines or ACLs used can change this behaviour
dramatically.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
