[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Sep 23 11:07:28 UTC 2015


Hello,

>>> On 17.09.15 18:47, Yuri Voinov wrote:
>>>> acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz
>>>> ssl_bump splice NoSSLIntercept
>>
>>>> # Privoxy+Tor access rules
>>>> never_direct allow tor_url
>>
>>>> cache_peer_access 127.0.0.1 allow tor_url

>> 18.09.15 21:22, Matus UHLAR - fantomas пишет:
>>> I wonder if the never_direct and cache_peer_access should not use the same
>>> acl as "ssl_bump splice".

On 20.09.15 20:59, Amos Jeffries wrote:
>Maybe for values but ssl::server_name ACL may not work outside ssl_bump.
>
>It might, or it might not be usable by the other *_access rules and
>depends on whether the matching decisions for those rule sets is the
>same for the ssl_bump ones. That latter condition is a big 'IF'.

I wonder how does this match. The SNI should be only seen when the https
connection is received, either by intercepting https or client using HTTPS
to connect proxy. on unintercepted HTTP port that received CONNECT request,
it would only see the CONNECT string, e.g. "CONNECT kaspi.kz:443", correct?

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    One OS to rule them all, One OS to find them, 
One OS to bring them all and into darkness bind them 


More information about the squid-users mailing list