<div dir="auto">Hey guys,<div dir="auto"><br></div><div dir="auto">Can anyone please help me to get the knowledge about squid request parsing and handling. I mean in which files (.c) ACL settings are parsed and handled when request http recieved in squid.</div><div dir="auto"><br></div><div dir="auto">Thanks ,</div><div dir="auto">Vineet</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 23 Feb 2018 6:50 a.m., "Eliezer Croitoru" <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">OK then.<br>
If it's doable then it's only waiting for the client who will want to fund this feature.<br>
<br>
Thanks,<br>
Eliezer<br>
<br>
----<br>
Eliezer Croitoru<br>
Linux System Administrator<br>
Mobile: +972-5-28704261<br>
Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a><br>
<br>
<br>
<br>
-----Original Message-----<br>
From: Alex Rousskov [mailto:<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-<wbr>factory.com</a>]<br>
Sent: Thursday, February 22, 2018 23:19<br>
To: Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>>; <a href="mailto:squid-dev@lists.squid-cache.org">squid-dev@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-dev] SSL-BUMP distinguish between mobile devices such as IOS or ANDROID vs PC request<br>
<br>
On 02/22/2018 11:56 AM, Eliezer Croitoru wrote:<br>
<br>
> I was wondering about the options to distinguish mobile devices TLS\SSL<br>
> requests compared to PC one's.<br>
<br>
You need ACLs that can match various TLS Client Hello fields (mostly<br>
message version, protocol version, and ciphers) and a knowledgebase of<br>
typical Hellos for the devices/clients you are interested in. A<br>
Hello-based solution cannot be 100% reliable, but I bet you can identify<br>
many popular OS versions (and, as a consequence, even some physical<br>
devices) with a good-enough probability (for most applications).<br>
<br>
IIRC, Squid does not have ACLs that interrogate TLS Client Hello with<br>
the exception of SNI (i.e., ssl::server_name --client_requested).<br>
However, it should not be very difficult to add such ACLs and they would<br>
be generally useful IMO.<br>
<br>
<br>
Forward proxies can also examine CONNECT headers. That is already<br>
supported AFAIK.<br>
<br>
<br>
Examining TCP/IP packet headers would also be useful in many cases, but<br>
that is harder to do directly in Squid.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
______________________________<wbr>_________________<br>
squid-dev mailing list<br>
<a href="mailto:squid-dev@lists.squid-cache.org">squid-dev@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-dev" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-dev</a><br>
</blockquote></div></div>