[squid-users] grab hostnames via SNI to use it for parent proxy
Amos Jeffries
squid3 at treenet.co.nz
Thu Jun 4 22:22:47 UTC 2015
On 5/06/2015 3:59 a.m., Atman Sense wrote:
> Hi,
>
> I'm using privoxy in transparent/intercepting mode to filter tracking
> sites. Because many sites switched to https I want to block https sites,
> too (only by hostnames, I don't want to decrypt the SSL connections).
>
> My idea was to use squid to intercept https connections and peek/splice
> to get the hostname via SNI.
>
> The problem is: When using a parent proxy, squid always "CONNECT" the IP
> and not the hostname, even if it is aware of it through SNI. Can I get
> squid to use the hostnames instead of IPs?
You can block by SNI in the ssl_bump checks without having bumped the
connection.
Like so:
# get the public TLS metadata (includes SNI)
ssl_bump peek all
# block based on SNI matching (or server cert matching)
acl blocked ssl::server_name .example.com
ssl_bump terminate blocked
# tunnel (no decrypting) for everything else
ssl_bump splice all
Note that you do have to allow the "CONNECT raw-IP:443 ..." requests
through http_access to the bumping logics.
Amos
More information about the squid-users
mailing list