Hi Alex, I have now changed to *configurations suggested specifically for your use case, on this email thread* :)
acl no_ssl_interception ssl::server_name "/usr/local/etc/squid/ssl_bump_broken_sites.txt" ssl_bump splice no_ssl_interception ssl_bump stare all ssl_bump bump all Now, suppose, as I think in my mind, bumping isn't really what I need, can I just comment out 'ssl_bump bump all' and sit easy or should I switch to ssl_bump splice all ?? I am sorry for my confusion...I think I have been on this way too long that my small brain has reached /etc (saturation point). Thank you once again. On 21 April 2016 at 21:06, Alex Rousskov <rouss...@measurement-factory.com> wrote: > On 04/21/2016 08:12 AM, Odhiambo Washington wrote: > > > acl no_ssl_interception ssl::server_name ... > > ssl_bump splice no_ssl_interception > > ssl_bump stare step2 > > ssl_bump splice all > > You are mixing splice and stare now. There are two groups of actions: > > * peek and then splice > * stare and then bump > > Do not mix actions from different groups together unless you know what > you are doing. > > > > So basically I should just have two options, I think, no?? Like > > > > ssl_bump stare step2 > > ssl_bump splice all > > Two bugs in this config: > > 1. It will splice everything during step #1. It is equivalent to: > > ssl_bump splice all > > > 2. To quote the wiki page: > > stare (step2): Receive server certificate while preserving the > possibility of bumping the connection. Staring at the server certificate > usually precludes future splicing of the connection. > > squid.conf.documented has very similar text as well. > > You are telling Squid to splice do exactly what the documentation tells > you is not usually possible. > > > I can understand that it may be difficult to find and interpret > documentation correctly. I can understand that it is difficult to > evaluate a given configuration correctly. What I cannot understand is > why you are not starting with configurations suggested specifically for > your use case, on this email thread. > > > > If one day, for some reason I want to bump, then I could change to: > > > > ssl_bump splice no_ssl_interception > > ssl_bump stare step2 > > ssl_bump bump all > > Similar to #1 above, this will bump all connections not matching the > [misnamed] no_ssl_interception during step1. > > The first matching action wins. During step1, that action is "bump" from > your last rule if no_ssl_interception does not match. > > > HTH, > > Alex. > > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
