[squid-users] transparent proxy splice using dstdomain issue
Amos Jeffries
squid3 at treenet.co.nz
Tue Jul 7 12:55:53 UTC 2015
On 7/07/2015 11:45 p.m., S.Kirschner wrote:
> Hi I´m using squid version 3.5.3 as transparent proxy in pfsense and got an
> issue with my configuration.
>
> I would like to bump ssl connections and some should be spliced(for the
> example I used "sparkasse.de"), in my case banking sites should be spliced.
>
> Its working fine when i use IP´s for the acl´s or insert the hostname in the
> /etc/hosts,
> but I think both cant be the solution.
>
> I think the issues exist because the reverse lookup dont got the anwser
> "sparkasse.de", but why it does not use the hostname from the dns request to
> the dns-server ?
Because Squid is not a DNS server.
The HTTP message details including URL where dstdomain comes from are
encrypted at the time you are trying to use the dstdomain ACL.
Please upgrade to the latest 3.5 release (today that is 3.5.6) and use
the "ssl::server_name" ACL instead of dstdomain for ssl_bump access
controls. It grabs the domain name (if any) from TLS directly without
needing decryption first.
>
> Also got errors that the ssl accept failed.
>
> Below you could see my squid.conf and the entries from the cache.log for
> both cases.
>
> *Without hostname in etc/hosts*
>
>
> *With hostname in etc/hosts*
>
>
> *SSL accept log entries*
>
>
> *Squid.conf*
>
Please be aware when using Nabble interface that fancy embeded
quotations are not sent to the mailing list. Only the plain message text.
Amos
More information about the squid-users
mailing list