[squid-users] Safesearch: blocking Google images error

Stanford Prescott stan.prescott at gmail.com
Fri Sep 4 21:05:48 UTC 2015


Thanks for catching that regex error. I will change it to what you suggest.

SNI not providing the needed server info would explain the problem I guess
I will just wait for any improvements to the SNI acl.

Stan

On Fri, Sep 4, 2015 at 3:59 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 5/09/2015 8:37 a.m., Stanford Prescott wrote:
> >> acl s1_tls_connect at_step SslBump1
> >> acl s2_tls_client_hello at_step SslBump2
> >> acl s3_tls_server_hello at_step SslBump3
> >>
> >> acl tls_server_name_is_ip ssl::server_name_regex \
> >> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
> >
> > You have a letter 'n' on the end there is that intentional?
> >
> > It would seem so. I copied that from someone else's "peek-splice"
> > directives that they said worked well for them. The actual regex in the
> > perl script that writes squid.conf is *"print FILE "acl
> > tls_server_name_is_ip ssl::server_name_regex
> > ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$\n\n";*."
>
> Thats not right. The script is broken.
>
> The '$' in that position is an anchor on the pattern. Not a variable
> perl is interpreting it as.
>
> Not that a $ anchor would work, since the input contains a ":port" section.
>
> A better raw-IP pattern is:
>
>
> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
>
>
> I think the main problem though is that the SNI support is not yet fully
> polished.
>
> Amos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150904/f7370d82/attachment.html>


More information about the squid-users mailing list