On 05/08/2017 12:49 AM, Amos Jeffries wrote: > > On 08/05/17 13:18, Alex Rousskov wrote: >> On 03/31/2017 07:21 AM, Christos Tsantilas wrote: >>> Avoid sending second CONNECT request to adaptation >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> >>> The users may not want to send the second request to the adaptation >>> services. In this case they can use acls as follows: >>> >>> acl step1 at_step SslBump1 >>> acl step2 at_step SslBump2 >>> acl markSpliced annotate_client spliced=true >>> >>> ssl_bump peek step1 >>> ssl_bump splice step2 markSpliced >>> >>> acl markedSpliced note spliced true >>> >>> adaptation_access class_reqmodifing deny markSpliced >>> adaptation_access class_reqmodifing allow all >> >> For the record, there is also an alternative way to avoid step2 >> adaptation (without using any annotations): >> >> adaptation_access request-modifier deny step2 >> adaptation_access request-modifier allow all >> >> Christos has verified that both approaches work so admins can pick the >> one _they_ prefer (which may depend on, for example, whether they are >> already using annotations for something else).
> So the documentation of at_step is now wrong: > "Never matches and should not be used outside of /ssl_bump/." I suspect it was wrong from the very beginning, at least on the conceptual level: That ACL should be usable during and after SslBump steps. We may not support it in some contexts today, but the same can be said of nearly every ACL. I suggest removing that documentation line or at least replacing "ssl_bump" with "SslBump". Thank you, Alex. _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
