This was the before what is faster or better for performance? The parsed ssl_bump lists or the singular list ? ----Parsed—— #no concatenation used here #acl splice_group any-of https_login NoBumpDNS NoSSLIntercept #acl splice_only_local_group all-of splice_only_mac splice_only #acl splice_main any-of splice_group splice_only_local_group #acl bump_main all-of bump_only_mac bump_only ssl_bump peek step1 ssl_bump terminate SSL_Intercept_Terminate miss_access deny no_miss active_use ssl_bump splice https_login active_use ssl_bump splice splice_only_mac splice_only active_use ssl_bump splice NoBumpDNS active_use ssl_bump splice NoSSLIntercept active_use ssl_bump bump bump_only_mac bump_only active_use acl activated note active_use true ssl_bump terminate !activated -----Concatenated new version—— acl splice_group any-of https_login NoBumpDNS NoSSLIntercept #any of the splice lists OR acl || acl splice_only_local_group all-of splice_only_mac splice_only #MAC AND IP ADDRESS && acl splice_main any-of splice_group splice_only_local_group #combine to OR acl || acl bump_main all-of bump_only_mac bump_only #MAC AND IP ADDRESS && ssl_bump peek step1 ssl_bump terminate SSL_Intercept_Terminate miss_access deny no_miss active_use ssl_bump splice splice_main active_use ssl_bump bump bump_main active_use acl activated note active_use true ssl_bump terminate !activated > On Dec 30, 2024, at 08:46, Jonathan Lee <jonathanlee571@xxxxxxxxx> wrote: > > Hello Fellow Squid Users, > > I wanted to try to speed up my SSL interception caching, or optimize it > > I have some small issues with some websites loading slowly not really bad just a small lag and I started to play around with > all-of and any-of to create new concatenated acls. > > I have arp mac addresses being used to check for ip and mac address for approval of proxy use and some other items. > > Does this speed up anything I am trying to get the ssl bump items to have better performance. The splice side is lighting fast again I just wonder if anything can be done to speed up the bump side. I am attempting to combine and concatenate access control lists. > > the Mac address and IP address matching does work it has been for some time I am just attempting a better way to create a better single acl for use with the ssl_bump directive > > Here is the part of my config I am asking about see #!!!!!!! > > acl wpad urlpath_regex ^/wpad.dat$ > acl wpad urlpath_regex ^/proxy.pac$ > acl wpad urlpath_regex ^/wpad.da$ > deny_info TCP_RESET wpad > #deny_info 200:/etc/squid/wpad.dat wpad > reply_header_access Content-Type deny wpad > http_access deny wpad > http_access deny !safeports > http_access deny CONNECT !sslports > #http_access allow localhost manager > #http_access deny manager > cachemgr_passwd disable offline_toggle reconfigure shutdown > cachemgr_passwd CLASSIFIED all > eui_lookup on > acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\? > acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat > acl CONNECT method CONNECT > acl wuCONNECT dstdomain www.update.microsoft.com > acl wuCONNECT dstdomain sls.microsoft.com > http_access allow CONNECT wuCONNECT localnet > http_access allow CONNECT wuCONNECT localhost > http_access allow CONNECT windowsupdate localnet > http_access allow CONNECT windowsupdate localhost > http_access allow CONNECT HttpAccess localnet > http_access allow CONNECT HttpAccess localhost > #http_access deny manager > http_access deny to_ipv6 > http_access deny from_ipv6 > > acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken" > acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH > sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch > sslproxy_cert_error deny all > > acl splice_only src 192.168.1.8 > acl splice_only src 192.168.1.10 > acl splice_only src 192.168.1.11 > acl splice_only src 192.168.1.15 > acl splice_only src 192.168.1.16 > > acl splice_only_mac arp MAC > acl splice_only_mac arp MAC > acl splice_only_mac arp MAC > acl splice_only_mac arp MAC > acl splice_only_mac arp MAC > > acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump" > acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump" > acl SSL_Intercept_Terminate dstdomain "/usr/local/pkg/url.bump" > > #acl markBumped annotate_client bumped=true #TESTING NOT USED > acl active_use annotate_client active=true > > acl bump_only src 192.168.1.3 > acl bump_only src 192.168.1.4 > acl bump_only src 192.168.1.5 > #acl bump_only src 192.168.1.6 > acl bump_only src 192.168.1.9 > acl bump_only src 192.168.1.13 > > acl bump_only_mac arp MAC > acl bump_only_mac arp MAC > acl bump_only_mac arp MAC > acl bump_only_mac arp MAC > acl bump_only_mac arp MAC > #acl bump_only_mac arp MAC > > collapsed_forwarding on > negative_dns_ttl 5 minutes > coredump_dir /label/swap0 > read_ahead_gap 64 KB > pipeline_prefetch 100 > happy_eyeballs_connect_timeout 10 > memory_pools on > > > #!!!!!!!! > acl splice_group any-of https_login NoBumpDNS NoSSLIntercept #any of the splice lists OR acl || > acl splice_only_local_group all-of splice_only_mac splice_only #MAC AND IP ADDRESS && > acl splice_main any-of splice_group splice_only_local_group #combine to OR acl || > > acl bump_main all-of bump_only_mac bump_only #MAC AND IP ADDRESS && > #!!!!!!!! > > > > ssl_bump peek step1 > ssl_bump terminate SSL_Intercept_Terminate > miss_access deny no_miss active_use > > #OLD WAY > #ssl_bump splice https_login active_use > #ssl_bump splice splice_only_mac splice_only active_use > #ssl_bump splice NoBumpDNS active_use > #ssl_bump splice NoSSLIntercept active_use > > #NEW WAY ONE ACL > ssl_bump splice splice_main active_use > > #OLD WAY > #ssl_bump bump bump_only_mac bump_only active_use > > #NEW WAY ONE ACL > ssl_bump bump bump_main active_use > > acl activated note active_use true > ssl_bump terminate !activated _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
