[squid-users] ssl_bump for specific dstdomain
Yuri Voinov
yvoinov at gmail.com
Fri Mar 13 05:39:35 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
13.03.15 2:37, Mukul Gandhi пишет:
> On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoinov at gmail.com>
> wrote:
>
> You only have external helper (which is must wrote yourself) in
> 3.4.x.
>
>
>> Are there any examples that I can look at to implemented this
>> external helper for doing selective ssl_bumps. And what would
>> this helper script do anyways? All we have is the destination IP
>> address which is not really going to give us the actual HTTP
>> hostname.
Yes and no. There is one third-party helper in list archives, written
on python. No one of this including in squid distribution.
>
>
>
> Works with domains in ssl bump fully available at least 3.5.x
>
>
>> Does the 3.5.x implementation decrypt the whole payload and then
>> do the ssl_bump? The "peek" option seems to imply that only the
>> HTTP headers are peeked at.
Of course. As by 3.4.x. The difference is only with mechanisms.
>
>> I guess what I am asking is, is there any way we can do this
>> without actually decrypting the payload?
3.5.x peek-and-splise functionality do bump splitted by stages.
Against 3.4.x, which is makes bump in one stage.
>
>
>
> 12.03.15 21:01, Mukul Gandhi пишет:
>>>> I am running squid 3.4.8 and am looking for solutions to
>>>> ssl_bump for specific domains only. Going through the
>>>> archives it is clear that it is not possible unless the
>>>> reverse DNS points back to the domain that is to be ssl
>>>> bumped.
>>>>
>>>> So then what is the solution to this problem. I just want to
>>>> create a SSL whitelist of domains that are to be bumped and
>>>> the rest should be tunneled through. What I have is -
>>>>
>>>> ssl_bump none localhost acl ssl_whitelist dstdomain
>>>> "/tmp/ssl_whitelist.txt" ssl_bump server-first ssl_whitelist
>>>>
>>>> The file /tmp/ssl_whitelist.txt contains -
>>>>
>>>> .facebook.com .twitter.com .pintrest.com
>>>>
>>>> Of course, this doesn't work because the ip address for these
>>>> websites points back to <something>.akamaitechnologies.com.
>>>>
>>>> All I want is to be able to decrypt just the traffic to these
>>>> three web-sites, the rest should go through encrypted. But I
>>>> couldn't find a solution for this anywhere in the archives. I
>>>> did see some mention of using SslBump1/2/3 but it wasn't
>>>> clear if this was the silver bullet. Also I would have to
>>>> upgrade to 3.5 to use these new directives.
>>>>
>>>> Any idea how I can achieve this in 3.4.8 (if possible)? Or
>>>> if I a solution exists for this in 3.5?
>>>>
>>>> Thanks, -Mukul
>>>>
>>>>
>>>>
>>>> _______________________________________________ squid-users
>>>> mailing list squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> _______________________________________________ squid-users
> mailing list squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJVAngXAAoJENNXIZxhPexGeYwIAIHnxixkc7Giy4EzQXpf+xqa
fqtozs1W2D7D349AURkUkwnNeq1VTNZb22Px6Jya9wpyuqAH0MXHSkeMkjDTtdjF
qUGIXEpjuhfHg0TaOXfnf41N8bdZ/lw4ZOeAgLdkVrfwXOO04oBqrr6ThVQMIjOS
NP1gz0ccxKFaZDgOS32Cg6uZ3fu92+vjobJN6UPVfr+EuN4BtF//aRxZ8BHfKX9C
ztrW1cBwL5IV4fecrFbJbEUSkria1IMezhnNRtrI5RtLVapftIN4jYGXFHwCUPHz
EMTboo1ohi5/WbOWvGQhsQjsm4mqkZ615Tk/CwQFGZ3qsJf1RK7msE2TeBWn8XE=
=7Rxa
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list