# adaptation_meta because it starts matching immediately after
# the service has been selected for adaptation.
+ acl aclname transaction_initiator initiator ...
+ # Matches transaction's initiator [fast]
+ #
+ # Supported initiators are:
+ # esi: matches transactions fetching ESI resources
+ # certificate-fetching: matches transactions fetching
+ # a missing intermediate TLS certificate
+ # cache-digest: matches transactions fetching Cache Digests
+ # from a cache_peer
+ # htcp: matches HTCP requests from peers
+ # icp: matches ICP requests to peers
+ # icmp: matches ICMP RTT database (NetDB) requests to peers
+ # asn: matches asns db requests
+ # internal: matches any of the above
+ # client: matches transactions containing an HTTP or FTP
+ # client request received at a Squid *_port
+ # all: matches any transaction, including internal transactions
+ # without a configurable initiator and hopefully rare
+ # transactions without a known-to-Squid initiator
+ #
+ # Multiple initiators are ORed.
+
+ acl aclname has component
+ # matches a transaction "component" [fast]
+ #
+ # Supported transaction components are:
+ # request: transaction has a request header (at least)
+ # response: transaction has a response header (at least)
+ # ALE: transaction has an internally-generated Access Log Entry
+ # structure; bugs notwithstanding, all transaction have it
+ #
+ # For example, the following configuration helps when dealing with HTTP
+ # clients that close connections without sending a request header:
+ #
+ # acl hasRequest has request
+ # acl logMe note important_transaction
+ # # avoid "logMe ACL is used in context without an HTTP request" warnings
+ # access_log ... logformat=detailed hasRequest logMe
+ # # log request-less transactions, instead of ignoring them
+ # access_log ... logformat=brief !hasRequest
+ #
+ # Multiple components are not supported for one "acl" rule, but
+ # can be specified (and are ORed) using multiple same-name rules:
+ #
+ # # OK, this strange logging daemon needs request or response,
+ # # but can work without either a request or a response:
+ # acl hasWhatMyLoggingDaemonNeeds has request
+ # acl hasWhatMyLoggingDaemonNeeds has response
+
IF USE_OPENSSL
acl aclname ssl_error errorname
# match against SSL certificate validation error [fast]
# SslBump2: After getting SSL Client Hello info.
# SslBump3: After getting SSL Server Hello info.
- acl aclname ssl::server_name .foo.com ...
+ acl aclname ssl::server_name [option] .foo.com ...
# matches server name obtained from various sources [fast]
#
- # The server name is obtained during Ssl-Bump steps from such sources
- # as CONNECT request URI, client SNI, and SSL server certificate CN.
- # During each Ssl-Bump step, Squid may improve its understanding of a
- # "true server name". Unlike dstdomain, this ACL does not perform
- # DNS lookups.
- # The "none" name can be used to match transactions where Squid
+ # The ACL computes server name(s) using such information sources as
+ # CONNECT request URI, TLS client SNI, and TLS server certificate
+ # subject (CN and SubjectAltName). The computed server name(s) usually
+ # change with each SslBump step, as more info becomes available:
+ # * SNI is used as the server name instead of the request URI,
+ # * subject name(s) from the server certificate (CN and
+ # SubjectAltName) are used as the server names instead of SNI.
+ #
+ # When the ACL computes multiple server names, matching any single
+ # computed name is sufficient for the ACL to match.
+ #
+ # The "none" name can be used to match transactions where the ACL
# could not compute the server name using any information source
- # already available at the ACL evaluation time.
+ # that was both available and allowed to be used by the ACL options at
+ # the ACL evaluation time.
+ #
+ # Unlike dstdomain, this ACL does not perform DNS lookups.
+ #
+ # An ACL option below may be used to restrict what information
+ # sources are used to extract the server names from:
+ #
+ # --client-requested
+ # The server name is SNI regardless of what the server says.
+ # --server-provided
+ # The server name(s) are the certificate subject name(s), regardless
+ # of what the client has requested. If the server certificate is
+ # unavailable, then the name is "none".
+ # --consensus
+ # The server name is either SNI (if SNI matches at least one of the
+ # certificate subject names) or "none" (otherwise). When the server
+ # certificate is unavailable, the consensus server name is SNI.
+ #
+ # Combining multiple options in one ACL is a fatal configuration
+ # error.
+ #
+ # For all options: If no SNI is available, then the CONNECT request
+ # target (a.k.a. URI) is used instead of SNI (for an intercepted
+ # connection, this target is the destination IP address).
acl aclname ssl::server_name_regex [-i] \.foo\.com ...
# regex matches server name obtained from various sources [fast]
For CONNECT requests that initiated bumping of
a connection and for any request received on
an already bumped connection, Squid logs the
- corresponding SslBump mode ("server-first" or
- "client-first"). See the ssl_bump option for
- more information about these modes.
+ corresponding SslBump mode ("splice", "bump",
+ "peek", "stare", "terminate", "server-first"
+ or "client-first"). See the ssl_bump option
+ for more information about these modes.
A "none" token is logged for requests that
triggered "ssl_bump" ACL evaluation matching
- either a "none" rule or no rules at all.
+ a "none" rule.
In all other cases, a single dash ("-") is
logged.
- ssl::>sni SSL client SNI sent to Squid. Available only
- after the peek, stare, or splice SSL bumping
- actions.
+ ssl::>sni SSL client SNI sent to Squid.
ssl::>cert_subject
The Subject field of the received client