[squid-users] ssl_bump for specific dstdomain
mukulg at gwmail.gwu.edu
Thu Mar 12 20:37:44 UTC 2015
On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> You only have external helper (which is must wrote yourself) in 3.4.x.
Are there any examples that I can look at to implemented this external
helper for doing selective ssl_bumps. And what would this helper script do
anyways? All we have is the destination IP address which is not really
going to give us the actual HTTP hostname.
> Works with domains in ssl bump fully available at least 3.5.x
Does the 3.5.x implementation decrypt the whole payload and then do the
ssl_bump? The "peek" option seems to imply that only the HTTP headers are
I guess what I am asking is, is there any way we can do this without
actually decrypting the payload?
> 12.03.15 21:01, Mukul Gandhi пишет:
> > I am running squid 3.4.8 and am looking for solutions to ssl_bump
> > for specific domains only. Going through the archives it is clear
> > that it is not possible unless the reverse DNS points back to the
> > domain that is to be ssl bumped.
> > So then what is the solution to this problem. I just want to create
> > a SSL whitelist of domains that are to be bumped and the rest
> > should be tunneled through. What I have is -
> > ssl_bump none localhost acl ssl_whitelist dstdomain
> > "/tmp/ssl_whitelist.txt" ssl_bump server-first ssl_whitelist
> > The file /tmp/ssl_whitelist.txt contains -
> > .facebook.com .twitter.com .pintrest.com
> > Of course, this doesn't work because the ip address for these
> > websites points back to <something>.akamaitechnologies.com.
> > All I want is to be able to decrypt just the traffic to these
> > three web-sites, the rest should go through encrypted. But I
> > couldn't find a solution for this anywhere in the archives. I did
> > see some mention of using SslBump1/2/3 but it wasn't clear if this
> > was the silver bullet. Also I would have to upgrade to 3.5 to use
> > these new directives.
> > Any idea how I can achieve this in 3.4.8 (if possible)? Or if I a
> > solution exists for this in 3.5?
> > Thanks, -Mukul
> > _______________________________________________ squid-users mailing
> > list squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> -----END PGP SIGNATURE-----
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users