On 08/16/2016 05:12 PM, Amos Jeffries wrote: > On 17/08/2016 2:22 a.m., Steve Hill wrote: >> Is there a way of figuring out if the current request is a bumped >> request when the http_access ACL is being checked? i.e. can we tell the >> difference between a GET request that is inside a bumped tunnel, and an >> unencrypted GET request?
> In Squid-3 a combo of the myportname and proto ACLs should do that. > > In Squid-4 the above, or the connections_encrypted ACL type. In both cases, please be extra careful with CONNECT requests (real or fake) that precede bumped traffic but also go through http_access rules and with unencrypted https:// requests that some Squids may receive. Since bumping is not a instantaneous decision but a long process, possibly involving several CONNECT requests, and since other traffic, especially in complicated deployments can have properties similar to bumped requests, it is often difficult to write correct "this HTTP request was bumped" ACLs. This configuration problem should be at least partially addressed by the upcoming annotate_transaction ACLs inserted into ssl_bump rules: http://lists.squid-cache.org/pipermail/squid-dev/2016-July/006146.html HTH, Alex. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
