[squid-users] substituing sniproxy for squid
Amos Jeffries
squid3 at treenet.co.nz
Mon Feb 1 12:08:27 UTC 2016
On 1/02/2016 11:35 a.m., Luis Daniel Lucio Quiroz wrote:
> Hello
>
> Can anyone give some clue, link something to read on how to do the HTTPs
> work with SNI, i just want to forward to the correct server based on the
> SNI. I want to get rid of SNIproxy in favor of squid.
That should be possible with Squid-3.5 or later by intercepting the port
443 traffic (*not* reverse-proxy / accel) and using:
acl step1 at_step SslBumpStep1
ssl_bump peek step1
ssl_bump splice all
But be aware that SNI does not provide any guarantee of "correct
server". HTTP (even in its 'HTTPS' form) is a multiplexed messaging
protocol. When you do the above Squid will not be able to protect you
against any Host header attacks buried inside the TLS layer - not that
sniproxy does either (in fact sniproxy seems by design to actively
_enable_ those type of vulnerabilities).
Amos
More information about the squid-users
mailing list