On Thu, 24 Feb 2022 11:08:48 -0500
Alex Rousskov <rouss...@measurement-factory.com> wrote:
> On 2/23/22 22:09, Dave Blanchard wrote:
> > OK--I solved the problem by removing the "ssl_bump bump all" line.
> > Works fine now.
>
> > Damn, this proxy is a TOTAL PAIN IN THE ASS!! to configure. It seems
> > like 90% of the tutorials out there are junk, largely because things
> > keep changing from version to version, obsoleting them.
>
> This email thread is a good example. The original ssl_bump config shared
> in the beginning of the thread did not make sense at all. Squid bugs
> notwithstanding, the implied second config (the one with "ssl_bump bump
> all" line removed) should not cache any HTTPS transactions either.
> However, folks will read this thread, copy the original config, maybe
> remove the "bump" line, and expect things to "work" because the
> "problem" was "solved" for somebody else.
>
Sorry, it was irresponsible of me to forget to mention that I changed the
'peek' line to 'stare', and added in another line. The final config, not
counting the other default config items which were left unchanged, is as
follows:
http_port 3128 ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=32MB \
cert=/path/to/cert.pem \
key=/path/to/cert.pem
sslcrtd_program /usr/libexec/security_file_certgen -s /path/to/ssl_database -M
32MB
ssl_bump client-first all
ssl_bump stare all
ssl_bump splice localhost
(Note for any other confused noobs reading this: this configuration apparently
requires Squid to be compiled with --with openssl and --with-ssl-crtd options
on the 'configure' command line; or at least it did in older versions, and
presumably still does.)
This final config works perfectly to cache SSL items, and has greatly increased
the utility of my slow connection.
>
> > Please add more concrete examples to the Wiki reference pages!
>
> IMHO, SslBump is too nuanced/complex to be able to reuse simple
> configurations without understanding their meaning. We should improve
> documentation a lot, but it takes a village to do that, and "more
> examples" is hardly the answer.
>
> Alex.
Although I am sure the reference material is extremely valuable, as a
non-expert I found it frustrating, as there almost NO concrete examples on each
reference page, which SHOW the given config option being used in real world
configurations. This is a common problem to a lot of 'man' pages in the Linux
world for example which have page after page of information that is essentially
useless unless one is already an expert, or extremely tedious to parse through,
because it does not give concrete examples.
On other sections of the wiki there are more explanatory texts showing various
how-to scenarios, but again, I couldn't find a single one that showed this
exact configuration here and briefly explained why/how it works, step by step
according to what Squid is doing at each step. I ended up finding the key parts
of the above config on a third party tutorial page ("How I saved countless
gigabytes of data with Squid caching" or something like that), while deleting
several lines from that config which were apparently unneeded/outdated.
Actually I thought I had read somewhere that the 'client-first' line is itself
outdated, but Squid doesn't complain about it, so maybe not. Anyhow, it works.
I don't understand exactly *how* it works, because I don't have time to study
all the internal workings of Squid at this time; just needed to quickly get a
proxy up and running to solve this problem and move on to other work. As it
was, I had like two dozen browser tabs open reading different things, only to
slowly and painfully piece together what turns out to be a very simple config.
--
Dave Blanchard <d...@killthe.net>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
