On 09/26/2018 11:40 AM, Julian Perconti wrote:
>> It is impossible for any transaction to be spliced at step3 with this
>> configuration. Whether the transaction matches or does not match
>> noBumpSites at any given step is irrelevant for this statement.
>
> OK: In this configuration it is imposs
> > When I say "implicit" I want to mean that there is no any step specified in
> the rule.
>
> Understood. Please avoid that word usage. In this context, implicit means
> "without being configured" or "by default". One could say that "default rules
> implicitly match", or that "a rule without any
On 09/22/2018 10:40 AM, Julian Perconti wrote:
>>> # Second rule:
>>> ssl_bump splice noBumpSites
>>>
>>> I think that this rule should implicity match only at step2.
>>
>> I do not know what "implicitly match" means here, but yes, the splice rule
>> may only match at step2 in this configuration:
> > # Second rule:
> > ssl_bump splice noBumpSites
> >
> > I think that this rule should implicity match only at step2.
>
> I do not know what "implicitly match" means here, but yes, the splice rule
> may only match at step2 in this configuration:
When I say "implicit" I want to mean that there i
On 09/21/2018 09:08 AM, Julian Perconti wrote:
> ssl_bump peek step1
> ssl_bump splice noBumpSites
> ssl_bump stare step2
> # Second rule:
> ssl_bump splice noBumpSites
>
> I think that this rule should implicity match only at step2.
I do not know what "implicitly match" means here, but yes,
> > I will go (finally) with this sslBump config. Although I still have some
> doubts...
> > I think that It´s time to finish this thread.
>
> I am confused because "you think it is time to finish this thread" but you are
> asking new questions. Please clarify, do you want answers to the questions
On 09/21/2018 09:08 AM, Julian Perconti wrote:
> I will go (finally) with this sslBump config. Although I still have some
> doubts...
> I think that It´s time to finish this thread.
I am confused because "you think it is time to finish this thread" but
you are asking new questions. Please clarif
Hi all.
I will go (finally) with this sslBump config. Although I still have some
doubts...
I think that It´s time to finish this thread.
# TLS CFG
acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"
# steps ACL
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_st
On 20/09/18 9:35 AM, Donald Muller wrote:
> Amos,
>
> So instead of using squidguard are you saying you should use something like
> the following?
>
> acl ads dstdomain -i "/etc/squid/squid-ads.acl"
> acl adult dstdomain -i "/etc/squid/squid-adult.acl"
>
*If* those lists contain dstdomain for
I reply to myself due to a bounce and I have to re-enable the membership to
list at least 3 times at month.
Maybe a problem with Yahoo.
>>> Alex: After a splice rule is applied, SslBump is over. No more rules are
>>> checked. No more loops are iterated. Squid simply "exits" the SslBump
>>> fea
On 09/19/2018 10:23 AM, Julian Perconti wrote:
>> Alex: After a splice rule is applied, SslBump is over. No more rules are
>> checked. No more loops are iterated. Squid simply "exits" the SslBump
>> feature (and becomes a TCP tunnel).
> What about the meaning of the ACL's at step1 when splice?
>After a splice rule is applied, SslBump is over. No more rules are
>checked. No more loops are iterated. Squid simply "exits" the SslBump
>feature (and becomes a TCP tunnel).
How is that? What about the meaning of the ACL's at step1 when splice?
e.g.:
There only these two rules for ssl_bump
On 09/18/2018 09:11 AM, Julian Perconti wrote:
>>> the thing that really does not makes sense is splice at step1 and then
>>> splice
>>> at step2
>> It is not possible to splice twice. Splicing is one of the final actions. No
>> other
>> action follows a final action (by definition).
> So, if a
> Both loops can finish "early" (i.e. before three steps and/or before all
> configured rules are evaluated).
Yes, maybe I would have should say at least: "Well in really, depend on the
rules.." Especially in the inner loop.
But I pointed to the maximum possibilities. (if exists)
> Just to avoid
On 09/17/2018 01:57 PM, Alex Rousskov wrote:
> For each other loop iteration, this inner loop will execute zero or more
> times, depending on the number _and_ meaning/content of the rules.
Typo: s/other loop/outer loop/
Alex.
___
squid-users mailing l
On 09/17/2018 11:53 AM, Julian Perconti wrote:
>> The overall logic is like this:
>>
>> for each step
>> do
>> for each rule
>> do
>> if the rule action is possible and the rule ACLs match,
>> then perform the rule action and either go to the next
>>
> > So, when squid reaches this first rule and line (there is no explicit
> > step) ...does Squid make a "bucle of steps" only along the first line
> > and go to next line only when the rule stop being
> > applicable/matchable?
>
> I hesitate answering that question with a simple "yes" or "no" be
On 09/13/2018 06:13 PM, Julian Perconti wrote:
>ssl_bump stare noBumpSites # This is the first line of SslBumps ruleset.
> So, when squid reaches this first rule and line (there is no explicit
> step) ...does Squid make a "bucle of steps" only along the first
> line and go to next line only
> > Example:
> >
> > ssl_bump splice noBumpSites # this will be totally ignored by Squid if a
> stare rule precedes this.
>
> No, this is incorrect. There are many cases were a previous stare rule will
> not
> have the effect you state it will. For example:
>
> # Squid may splice at step2 de
On 09/12/2018 09:02 PM, Julian Perconti wrote:
> ssl_bump peek step1
> ssl_bump peek noBumpSites
> ssl_bump stare all
ssl_bump peek noBumpSites # As there no step specified, squid match
at any step
>> Not exactly. Squid will evaluate this rule at any step that (a) reaches
>> this line
> I am afraid you do not. You are probably missing the fact that, at each step,
> the rules after the matching applicable rule are not checked.
> Also, you seem to insert some implicit peeking rules that are never there.
> Finally, there may be some confusion regarding how multiple ACLs on one
> li
On 09/12/2018 08:28 AM, Julian Perconti wrote:
> Please, let me know if I understand why those cfg are equals
I am afraid you do not. You are probably missing the fact that, at each
step, the rules after the matching applicable rule are not checked.
Also, you seem to insert some implicit peeking
> > So, in a brief the confi is:
> >
> > ssl_bump peek step1 all
> > ssl_bump peek step2 noBumpSites
> > ssl_bump stare step2 all
>
> ... which should be equivalent to an even simpler config:
>
> ssl_bump peek step1
> ssl_bump peek noBumpSites
> ssl_bump stare all
Yes, i've tested and squ
On 09/10/2018 12:35 PM, Julian Perconti wrote:
> So, in a brief the confi is:
>
> ssl_bump peek step1 all
> ssl_bump peek step2 noBumpSites
> ssl_bump stare step2 all
... which should be equivalent to an even simpler config:
ssl_bump peek step1
ssl_bump peek noBumpSites
ssl_bump stare all
> -Mensaje original-
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: lunes, 10 de septiembre de 2018 01:13
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> >
> > ...So th
On 10/09/18 6:29 AM, Julian Perconti wrote:
>> -Mensaje original-
>> De: Amos Jeffries
>>
>> On 9/09/18 5:45 AM, Julian Perconti wrote:
-Mensaje original-
De: Amos Jeffries
> So from http://marek.helion.pl/install/squid.html
>
> We have this configs:
>
> -Mensaje original-
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: domingo, 9 de septiembre de 2018 02:35
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> On 9/09/18 5:45 A
On 9/09/18 5:45 AM, Julian Perconti wrote:
>> -Mensaje original-
>> De: squid-users En nombre de
>> Amos Jeffries
>> Enviado el: viernes, 7 de septiembre de 2018 15:19
>> Para: squid-users@lists.squid-cache.org
>> Asunto: Re: [squid-users] About S
> -Mensaje original-
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: viernes, 7 de septiembre de 2018 15:19
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> > So from htt
On 8/09/18 4:58 AM, Julian Perconti wrote:
>> De: Amos Jeffries
>> On 7/09/18 1:48 PM, Julian Perconti wrote:>
>>> Hi all,
>>>
>>> I have a new strange situation:
>>>
>>> With this peek-n-splice configuration:
>>>
>>> ssl_bump peek step1 all
>>> ssl_bump peek step2 noBumpSites
>>> ssl_bump splice s
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: viernes, 7 de septiembre de 2018 01:18
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> On 7/09/18 1:48 PM, Julian Perconti wrote:>
> >
On 09/06/2018 10:18 PM, Amos Jeffries wrote:
> So... (lets call this config A)
>
> #step1 does this:
>
>> ssl_bump peek step1 all
>
> #step2 does this:
>
>> ssl_bump peek step2 noBumpSites
>> ssl_bump bump
>
> If the bump at step2 happened, there is no step3.
>
> #step3 does this:
>
>> ssl_
On 09/06/2018 07:48 PM, Julian Perconti wrote:
> With this peek-n-splice configuration:
>
> ssl_bump peek step1 all
> ssl_bump peek step2 noBumpSites
> ssl_bump splice step3 noBumpSites
> ssl_bump bump
>
> I got this error on spliced sites (a bank site):
> (104) Connection reset by peer (TLS co
On 7/09/18 1:48 PM, Julian Perconti wrote:>
> Hi all,
>
> I have a new strange situation:
>
> With this peek-n-splice configuration:
>
> ssl_bump peek step1 all
> ssl_bump peek step2 noBumpSites
> ssl_bump splice step3 noBumpSites
> ssl_bump bump
So... (lets call this config A)
#step1 does thi
> De: Alex Rousskov
> Enviado el: lunes, 13 de agosto de 2018 02:01
> Para: Julian Perconti ; squid-users@lists.squid-
> cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> On 08/12/2018 06:57 PM, Julian Perconti wrote:
> >> De:
On 08/12/2018 06:57 PM, Julian Perconti wrote:
>> De: Alex Rousskov
>> Enviado el: domingo, 12 de agosto de 2018 20:50
>> Para: Julian Perconti ;
>> squid-users@lists.squid-cache.org
>> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>&g
> -Mensaje original-
> De: Alex Rousskov
> Enviado el: domingo, 12 de agosto de 2018 20:50
> Para: Julian Perconti ; squid-users@lists.squid-
> cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> On 08/12/2018 04:09 PM, Julian
On 08/12/2018 04:09 PM, Julian Perconti wrote:
> I would like to know which of these two cfg's are "better" or "more secure"
> when a site/domain is spliced, bumped, etc.
It is impossible to answer that question without knowing how _you_
define "better" or "more secure".
> acl noBumpSites ssl::
Hi,
I would like to know which of these two cfg's are "better" or "more secure"
when a site/domain is spliced, bumped, etc.
Here the lines...
# mandatory lines:
acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_
39 matches
Mail list logo
