[squid-dev] SSL-BUMP distinguish between mobile devices such as IOS or ANDROID vs PC request

Vineet Awasthi vineetawasthi.technocrat at gmail.com
Fri Feb 23 05:09:34 UTC 2018


Hey guys,

Can anyone please help me to get the knowledge about squid request parsing
and handling. I mean in which files (.c) ACL settings are parsed and
handled when request http recieved in squid.

Thanks ,
Vineet

On 23 Feb 2018 6:50 a.m., "Eliezer Croitoru" <eliezer at ngtech.co.il> wrote:

> OK then.
> If it's doable then it's only waiting for the client who will want to fund
> this feature.
>
> Thanks,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov at measurement-factory.com]
> Sent: Thursday, February 22, 2018 23:19
> To: Eliezer Croitoru <eliezer at ngtech.co.il>; squid-dev at lists.squid-cache.
> org
> Subject: Re: [squid-dev] SSL-BUMP distinguish between mobile devices such
> as IOS or ANDROID vs PC request
>
> On 02/22/2018 11:56 AM, Eliezer Croitoru wrote:
>
> > I was wondering about the options to distinguish mobile devices TLS\SSL
> > requests compared to PC one's.
>
> You need ACLs that can match various TLS Client Hello fields (mostly
> message version, protocol version, and ciphers) and a knowledgebase of
> typical Hellos for the devices/clients you are interested in. A
> Hello-based solution cannot be 100% reliable, but I bet you can identify
> many popular OS versions (and, as a consequence, even some physical
> devices) with a good-enough probability (for most applications).
>
> IIRC, Squid does not have ACLs that interrogate TLS Client Hello with
> the exception of SNI (i.e., ssl::server_name --client_requested).
> However, it should not be very difficult to add such ACLs and they would
> be generally useful IMO.
>
>
> Forward proxies can also examine CONNECT headers. That is already
> supported AFAIK.
>
>
> Examining TCP/IP packet headers would also be useful in many cases, but
> that is harder to do directly in Squid.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20180223/1e9a9800/attachment.html>


More information about the squid-dev mailing list