[squid-users] kinda confused about Peek and Splice
Marek Serafin
marek.serafin at helion.pl
Thu Sep 17 10:00:05 UTC 2015
Hello, I'm kinda confused about the "Peek and Splice" technique
introduced in Squid 3.5.x.
----------------------
My goal is to allow CONNECT-method ONLY to certain web-pages (mainly
banks, payment systems). The rest of https-sites should be allways bumped.
---------------------
And this can be easily achieved even in squid 3.3 (I'm talking about
situation where browser is totally aware of using proxy server -- not
transparent mode).
But when Squid allows CONNECT method - it allows any kind of TCP tunnel
(e.g. OpenVPN over TCP or ssh tunnel).
So, my real question is - if it's possible - using the new technique
(Peek and Splice) to allow Splice method - but ONLY to real HTTPS Sites
- not a ssh or VPN service?
(I'm still talking about the situation where browsers are aware of proxying)
I was thinking that it can be done by peeking in step 2 (peeing the
server certificate) BUT there is a limitation: peeking at the server
certificate usually precludes future bumping. So when we're peeking at
step 2 we can only splice later (or terminate) - which is not what I
wanted to achieve.
If above is not possible, what is the main advantage of "Peek and
Splice" comparing to old method (remember: browsers are aware of proxying).
I can see advantage in transparent mode - obtaining domain name by SNI.
But in "normal mode" squid knows the domain-name because of the connect
request? And knowing the domain-name we can decide what to do.
thx for any hints or explanation!
HELION SA, 44-100 Gliwice, ul. Kościuszki 1C
Numer KRS 0000121256 Sąd Rejonowy w Gliwicach,
X Wydział Gospodarczy Krajowego Rejestru Sądowego.
NIP 631-020-02-68, REGON: 271070648
Kapitał zakładowy: 500100 zł w całości wpłacony
More information about the squid-users
mailing list