Search squid archive

Re: SSLBUMP for specific domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 13/01/2023 10:47 am, andre.bolinhas wrote:
So is a bug for 500 or a bad configuration?
I have also tried this setup and seams to "fix" the tcp_tunnel/500
...
Basically the changes that I made is on peek step changing from
ssl_bump peek ssl_step1
To
acl NotPeek any-of Group26

You should not need "any-of" ACL with a single entry. Just use "Group26" directly.

ssl_bump peek !NotPeek

This is a good idea?

What you have done here is tell Squid to peek at both step1 and step2.
The peek action is not relevant at step3, which lets Squid reach the splice rules.

The "bump" action will now be performed at step1 before any details of the server cert are available. This can work, but generally is a bad idea with current TLS. I recommend doing a peek, stare, bump sequence instead for the NotPeek/Group26 traffic.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux