Do peek and stare function exact same at step 1? Also does dstdom_regex work in ssl_bump?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Do peek and stare function exact same at step 1? Also does dstdom_regex work in ssl_bump?

Amish
Hello,

I was referring to:
http://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions

Based on explanation I wonder if peek and stare are exactly same at step 1?

If yes, which one should I use at step 1? peek or stare?

I am asking because in future their function may change (at step 1).

My intention is to bump as much traffic as can be done. (at step 3)

Currently:
At step 1 I peek most traffic (and splice traffic originating from some IPs)
At step 2 I stare most traffic (and splice exempted domains)
At step 3 everything is bumped.

If peek and stare are same at step 1, I may change peek to stare so that
it looks consistent.


My 2nd question is:

In the above link it is mentioned under "Configuration Examples" that:
"At no point during ssl_bump processing will dstdomain ACL work. That
ACL relies on HTTP message details that are not yet decrypted"

Does it hold true for dstdom_regex as well? Because both seem to apply
to same thing.

Thanks and regards,

Amish.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Do peek and stare function exact same at step 1? Also does dstdom_regex work in ssl_bump?

Alex Rousskov
On 06/19/2017 06:16 AM, Amish wrote:

> I was referring to:
> http://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions
>
> Based on explanation I wonder if peek and stare are exactly same at step 1?

Both look at the same Client Hello bytes but have at least one different
side effect:

* If you use "peek" during step 1 and Squid cannot decide what you want
to do during step 2, then Squid should splice.

* If you use "stare" during step 1 and Squid cannot decide what you want
to do during step 2, then Squid should bump.

IIRC, there were implementation bugs in the above algorithm but they may
have been fixed since then. As a rule of thumb, always tell Squid what
to do by making sure that at least one applicable ssl_bump rule matches,
regardless of the step.



> If yes, which one should I use at step 1? peek or stare?

* If you intend to splice, use peek.
* If you intend to bump, use stare.
* If you are not yet sure, it is a gray area. Use whatever you think is
best.


> My 2nd question is:
>
> In the above link it is mentioned under "Configuration Examples" that:
> "At no point during ssl_bump processing will dstdomain ACL work. That
> ACL relies on HTTP message details that are not yet decrypted"

Hm.. AFAICT, that comment is misleading: dstdomain (and dstdomain_regex)
"work" as expected in some SslBump cases, sometimes even during step1.
However, you should use server_name if possible instead because
server_name should work as expected in all SslBump cases. And the latest
Squids (v5 r15189) can be used to fine-tune server_name behavior to
match based on SNI, server certificate, and other critically important
cases.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...