Perhaps an alternative is to peek only on step1: acl step1 at_step SslBump1
ssl_bump peek step1 acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice allowed_https_sites ssl_bump terminate all On Nov 25, 2017 14:46, "James Lay" <j...@slave-tothe-box.net> wrote: > On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote: > > On 26/11/17 00:52, James Lay wrote: > > > On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote: > > > On 25/11/17 08:30, James Lay wrote: > > > Topic says it...this setup has been working well for a long time, but > now there are some sites that are failing the TLS handshake. Here's > my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl > Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT > acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" > http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports > http_access allow SSL_ports http_access allow allowed_http_sites > http_access deny all ssl_bump peek all acl allowed_https_sites > ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice > allowed_https_sites ssl_bump terminate all > > > > > > Because you have "peek all" being performed the transaction MUST pass > your regex patterns with both TLS SNI from the client *and* the server > certificate SubjectName values. Either one not matching will perform > that "terminate all" on the TLS handshake. > > > > > Thanks Amos...do you have a suggestion for changing this to match one or > the other instead of both? > > > > Doing the splice check before the peek should do that. First one of the > server_names data sources to match will then splice and non-matches fall > through to either peek or terminate if no more peeking possible. > > Amos > > > Perfect..I've modded my lines with: > > acl broken_https_sites ssl::server_name_regex "/opt/etc/squid/broken_url. > txt" > ssl_bump splice broken_https_sites > ssl_bump peek all > acl allowed_https_sites ssl::server_name_regex > "/opt/etc/squid/http_url.txt" > ssl_bump splice allowed_https_sites > ssl_bump terminate all > > Hopefully that fixes these up. Another site besides the the one this > thread is fbcdn.net. Again, these DID work, but something within the > last month has changed...guessing Facebook and Elder Scrolls Online have > added additional TLS security. Thanks as always Amos. > > James > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
