Re: [squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

2015-05-07 Thread Stanford Prescott
I've tried using the new server_name acl you provided an example of and Jason's suggestions for getting the external acl and bumphelper script working but It only results in everything still being bumped. The website I'm trying to use as a test for non-bumping, wellsfargo.com, still gets bumped alo

Re: [squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

2015-05-06 Thread Stanford Prescott
Jason helped me a lot although I am still having trouble getting that helper working. It got to the point that only the website I didn't want bumped was getting bumped because I had my logic switched in the helper script to nothing getting bumped at all. Jason pointed out that I appear to be using

Re: [squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

2015-05-06 Thread Nathan Hoad
Hi Stan, Yep, I think the server_name acl in 3.5.4 should provide what you want without the need for an external acl now. I haven't used it as the external acl fits my usecase. I imagine doing something like this should work for server_name though... acl sni_exclusions ssl::server_name wellsfargo

Re: [squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

2015-04-12 Thread Amos Jeffries
On 13/04/2015 2:37 p.m., Nathan Hoad wrote: > Hi Stan, > > So one of the things that peek and splice added was support for the > Server Name Indication SSL extension, which let's Squid make bumping > decisions more accurately based on the hostname, rather than the IP > address. Prior to this, bump

Re: [squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

2015-04-12 Thread Nathan Hoad
Hi Stan, So one of the things that peek and splice added was support for the Server Name Indication SSL extension, which let's Squid make bumping decisions more accurately based on the hostname, rather than the IP address. Prior to this, bumping on only the IP address caused issues for virtual hos

Re: [squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

2015-04-12 Thread Nathan Hoad
Hi Stan, For peek and splice, you need to decide based on the SNI name, not the domain name, which for 3.5 means you need to use an external ACL helper that processes %ssl::>sni. For 4.0 there will be a server_name ACL you can use instead. On top of that, you also need to make sure this external

[squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

2015-04-12 Thread Stanford Prescott
I would like to give my users the ability to "not bump" certain sites. I tried to use the examples given on the SSLPeekandSplice wiki page but can't get it to work. This is a snippet of my squid.conf file. *https_port 192.168.10.1:808 intercept ssl-bump generate-host-cer