Hello, We are attempting to leverage headers to isolate access to external sites with squid 4.14. The Loadbalencer is injecting headers and squid is simply verifying them:
acl ACL_HDR_1 req_header Repo_Svr_VerifiedHdr True acl REPO_DST_ALLOW dstdomain "/etc/squid/acls.d/hosts.acl" http_access allow PROXY-SRC REPO_DST_ALLOW ACL_HDR_1 We are currently decrypting this traffic and it's working well. Now we have a requirement to skip ssl decrypt for only certain destinations. My thought was to simply create a separate ACL where skipping ssl decrypt is required and add the header ACL to the end of the ssl_bump directive like so: acl Repo_Skip_HDR req_header Repo_Svr_VerifiedHdr True acl Repo_SkipSslDecrypt dstdomain "/etc/squid/acls.d/hosts.acl" ssl_bump none Repo_SkipSslDecrypt Repo_Skip_HDR This parsed successfully but did not have the desired effect. The squid is still inspecting the traffic even with the header present as we can see in the logs. Making things a little more complex, the ssl_bump directive seems to have a global effect and also imply "http_access allow" making it difficult isolate access. To get around this I thought to simply skip ssl decrypt for the traffic with verified headers: acl Repo_Skip_HDR req_header Repo_Svr_VerifiedHdr True ssl_bump none Repo_Skip_HDR Unfortunately even this isn't working, again the config checks out and runs happily, we see the header in the logs, but squid still tries to inspect the traffic. Any thoughts on why ssl_bump would ignore the header ACL or other suggestions to isolate traffic when being required to skip ssl decrypt would be greatly appreciated. Thanks in advance. Regards, Matt Toler
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
