Re: [squid-users] Best way to prevent squid from bumping CONNECTs

2020-05-05 Thread Alex Rousskov
On 5/5/20 5:38 AM, Amos Jeffries wrote: > On 5/05/20 4:31 am, Alex Rousskov wrote: >> On 5/3/20 10:41 PM, Scott wrote: >>> https://wiki.squid-cache.org/Features/SslPeekAndSplice says "At no point >>> during ssl_bump processing will dstdomain ACL work". >> I have not tested this, but I would expec

Re: [squid-users] Best way to prevent squid from bumping CONNECTs

2020-05-05 Thread Amos Jeffries
On 5/05/20 4:31 am, Alex Rousskov wrote: > On 5/3/20 10:41 PM, Scott wrote: > >> acl tcp_open_connect_sslbump at_step SslBump1 >> acl ssl_splice_sni ssl::server_name "/usr/local/etc/squid/acls/splice_sni" >> acl guest_net_src src x.y.z.0/24 >> >> ssl_bump peek tcp_open_connect_sslbump >> ssl_bump

Re: [squid-users] Best way to prevent squid from bumping CONNECTs

2020-05-04 Thread Alex Rousskov
On 5/3/20 10:41 PM, Scott wrote: > acl tcp_open_connect_sslbump at_step SslBump1 > acl ssl_splice_sni ssl::server_name "/usr/local/etc/squid/acls/splice_sni" > acl guest_net_src src x.y.z.0/24 > > ssl_bump peek tcp_open_connect_sslbump > ssl_bump splice ssl_splice_sni > ssl_bump bump guest_net_sr

Re: [squid-users] Best way to prevent squid from bumping CONNECTs

2020-05-03 Thread Scott
On Thu, Apr 30, 2020 at 04:05:43PM -0400, Alex Rousskov wrote: > On 4/30/20 12:10 PM, Scott wrote: > > >> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels > >> are sent to the SslBump code. > >> > >> * For https_port configured with an ssl-bump flag, all traffic is sent > >>

Re: [squid-users] Best way to prevent squid from bumping CONNECTs

2020-04-30 Thread Alex Rousskov
On 4/30/20 12:10 PM, Scott wrote: >> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels >> are sent to the SslBump code. >> >> * For https_port configured with an ssl-bump flag, all traffic is sent >> to the SslBump code (by faking a corresponding HTTP CONNECT request). > The

Re: [squid-users] Best way to prevent squid from bumping CONNECTs

2020-04-30 Thread Scott
> Date: Mon, 27 Apr 2020 15:09:03 -0400 > From: Alex Rousskov > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] Best way to prevent squid from bumping CONNECTs > > On 4/27/20 12:21 PM, Scott wrote: > > > my experience with ssl_bump is that it tr

Re: [squid-users] Best way to prevent squid from bumping CONNECTs

2020-04-27 Thread Alex Rousskov
On 4/27/20 12:21 PM, Scott wrote: > my experience with ssl_bump is that it tries to bump SSL connections whether > presented to Squid explicitly or implicitly. * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels are sent to the SslBump code. * For https_port configured with a

[squid-users] Best way to prevent squid from bumping CONNECTs

2020-04-27 Thread Scott
Hi, my experience with ssl_bump is that it tries to bump SSL connections whether presented to Squid explicitly or implicitly. I have a device with two pieces of software, one configured with Squid explicitly, one that requires intercept (via WCCP). So both explicit CONNECT messages arrive at s