[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Bump and Splice
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2020-02-20 11:20:37
Message-ID: 28f2079e-ca64-5476-52d8-4a7eac723ba5 () treenet ! co ! nz
[Download RAW message or body]

On 20/02/20 1:35 am, AndyBinder wrote:
> 
> Currently i have 2 working bumping configurations (Squid 4.9):
> 
> 1. Splice everything (working for blacklisting http and https sites without
> Bumping)
> 
> ssl_bump peek bump_step1 all
> ssl_bump splice all

Following lines are unreachable. You can just erase from the config.

PS. Also you do not need the 'all' ACL on that first line.


> ssl_bump peek bump_step2 all
> ssl_bump splice bump_step3 all
> ssl_bump bump
> 
> 2. Bump everything except bump_nobumpsites
> 
> ssl_bump peek bump_step1 all
> ssl_bump peek bump_step2 bump_nobumpsites
> ssl_bump splice bump_step3 bump_nobumpsites
> ssl_bump stare bump_step2
> ssl_bump bump bump_step3
> 
> Now i try to combine both of them into one configuration and want to decide
> weather bumping or splicing via the nametag of the port (=acl
> bump_nobumpport).
> 
> Final wanted situation in words:
> 
> Bump everything except bump_nobumpsites and bump_nobumpports, but the SNI must
> be visible to match agains blacklisted urls.

How important is that word "and" in your policy statement?

The config earlier used an OR condition:

  ssl_bump peek bump_step2 bump_nobumpsites
  ssl_bump peek bump_step2 bump_nobumpport

This would be AND condition:

  ssl_bump peek bump_step2 bump_nobumpport bump_nobumpsites


> 
> @Alex: I tried your configuration examples but the blacklisted urls won't match
> on https sites.

If you are matching *URLs* that is the problem. Only the domain name is
available during ssl_bump checks. The URL only appears after bumping,
and only from http_access onwards.

Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[prev in list] [next in list] [prev in thread] [next in thread]