On 08/05/17 13:18, Alex Rousskov wrote:
On 03/31/2017 07:21 AM, Christos Tsantilas wrote:
Avoid sending second CONNECT request to adaptation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The users may not want to send the second request to the adaptation
services. In this case they can use acls as follows:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl markSpliced annotate_client spliced=true
ssl_bump peek step1
ssl_bump splice step2 markSpliced
acl markedSpliced note spliced true
adaptation_access class_reqmodifing deny markSpliced
adaptation_access class_reqmodifing allow all
For the record, there is also an alternative way to avoid step2
adaptation (without using any annotations):
adaptation_access request-modifier deny step2
adaptation_access request-modifier allow all
Christos has verified that both approaches work so admins can pick the
one _they_ prefer (which may depend on, for example, whether they are
already using annotations for something else).
So the documentation of at_step is now wrong:
"Never matches and should not be used outside of /ssl_bump/."
Amos
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
