Right, I see. So I’ve got a special ACL to always allow that Test URL for the sake of our certcheck … but it’s doing it by dstdomain. So if there are rules to say “always redirect to the certificate splash page if you can’t connect to the URL”, then it will never pass it because the initial CONNECT step can never match a dstdomain and will always be DENIED.
So what I really need to do is change that test URL’s ACL to be a dst instead (and find a URL that isn’t going to resolve to different IPs over time). Okay. While we’re at it, is there a Peek & Splice "equivalent" of the config I posted before? Kind regards Dan > On 19 Mar 2015, at 5:18 pm, Amos Jeffries <squ...@treenet.co.nz> wrote: > > On 19/03/2015 6:36 p.m., Dan Charlesworth wrote: >> Hey y’all >> >> Finally got 3.5.2 running. I was under the impression that using >> server-first SSL bump would still be compatible, despite all the Peek & >> Splice changes, but apparently not. Hopefully someone can explain what might >> be going wrong here ... >> > > Sadly "being compatible" with an broken design does not mean "working". > server-first only works nicely if the client, Squid, and server are > operating with the same TLS features - which is uncommon. > > >> Using the same SSL Bump config that we used for 3.4, we now seeing this >> happen: >> 19/Mar/2015-16:21:32 22 d4:f4:6f:71:90:e6 10.0.1.71 TCP_DENIED 200 0 >> CONNECT 94.31.29.230:443 - server-first - HIER_NONE/- - - >> > > The CONNECT request in the clear-text HTTP layer is now subject to > access controls before any bumping takes place. Earlier Squid would let > the CONNECT through if you were bumping, even if it would have been > blocked by your access controls normally. > > This is unrelated to server-first or any other ssl_bump action. > >> Instead of this: >> 19/Mar/2015-14:42:04 736 d4:f4:6f:71:90:e6 10.0.1.71 TCP_MISS 200 96913 >> GET https://code.jquery.com/jquery-1.11.0.min.js - server-first >> Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%208_2%20like%20Mac%20OS%20X)%20AppleWebKit/600.1.4%20(KHTML,%20like%20Gecko)%20Mobile/12D508 >> ORIGINAL_DST/94.31.29.53 application/x-javascript - >> > > That is a different HTTP message from inside the encryption. > > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
