[squid-users] url_rewrite_program shows IP addresses instead of domain name when rewriting SSL/HTTPS

Amos Jeffries squid3 at treenet.co.nz
Wed Jul 13 10:52:35 UTC 2016


On 13/07/2016 5:46 a.m., Moataz Elmasry wrote:
> Hi Amos,
> 
> I kinda solved the problem (Thanks to you!!!)
> All what was needed is to peek the important domains in step2 in order not
> to cause them harm and bump everything else in step3. In this case I'm able
> to read the dns names in the redirect script and block them accordingly
> 
> Here is the relevant part:
> acl http_sites dstdomain play.google.com mydomain.com
> acl https_sites ssl::server_name play.google.com mydomain.com
> 
> ssl_bump peek step1 all
> ssl_bump peek step2 https_sites
> ssl_bump bump step3 all !https_sites #http_sites won't be bumped anyway.
> But just to be sure
> url_rewrite_access allow all !http_sites
> 
> Of course I'm still not able to rewrite https address as discussed, but
> this is a different story I guess.
> 
> The SslPeekAndSplice wiki page needs serious rework though as many of the
> stuff discussed here are not explained on the page, which makes life really
> hard for noobs like me. Is there a way to contribute back a little bit by
> reworking that wiki page? I'll try to write a small post about
> the SslPeekAndSplice in the next few days.

The answer to that is "yes, its a wiki so anyone in teh community can
improve it". The need to register as an editor is just a spam prevention
tactic.

For that particular page the lack of details is partially intentional.
Playing around with security protocols does requires a certain level of
understanding. The page assumes that level of understanding is present
first.

But you are right the page does need some improvements. I would prefer
though for this page if you proposed changes in the Discussion page
associated with the SslPeekAndSplice page. Then the authors who
understand the feature and TLS more fully can make the adjustments.

Cheers
Amos



More information about the squid-users mailing list