[squid-users] Transparent proxy with Peek and Splice feature.
Vadim Rogoziansky
vrogoziansky.squid at gmail.com
Tue Dec 9 11:52:38 UTC 2014
Yeap, squid perfectly "splice" the destination domain after step1 or
step2 or step3 when the browser is set to use proxy directly.
But, it does not work in case of transparent proxy. Squid uses the
destination IP address instead of SNI details.
The example of using client IP address is below:
2014/11/27 01:15:22.851| DomainData.cc(110) match: aclMatchDomainList:
'212.42.77.232' NOT found
Thank you guys.
11/29/2014 6:17 AM, Amos Jeffries написав(ла):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:
>> Hello Amos.
>>
>> Thank you for answer.
>>
>> There was made an investigation related to squid's peek and splice
>> issues in transparent mode. One-line explanation is as follows - in
>> intercept mode squid can't get a server host name from the request
>> header and uses clent IP address instead for both fake cert
>> generation and as a SNI record in server bump SSL handshaking. This
>> is the root of the problem. However this can be fixed if squid uses
>> SNI field taken from client TLS Hello message for that purposes.
>> Can you hack squid in this way? What do you think?
> I think peek-n-splice is supposed to already be doing that.
>
> However it does depend on whether you are bumping the connection at
> step 1 (before ClientHello), step 2 (after ClientHello, before
> ServerHello), or step 3 (after both ClientHello and ServerHello) of
> the TLS handshake whether the SNI details are present.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP
> vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5
> 7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
> vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV
> 8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3
> q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM=
> =44aG
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list