[squid-users] sslbump and skype question
Marko Cupać
marko.cupac at mimar.rs
Thu Jul 28 15:40:02 UTC 2016
Hi,
I'm using squid-3.5.20 to sslbump by default, and splice if needed:
---snip---
acl splice_domains dstdomain "/usr/local/etc/squid/acl/splice_domains
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_domains
ssl_bump bump all
---snip---
As far as I am aware, this setup works for most websites. The ones
which don't work are usually those with self-signed certificates, but I
am easily overriding them by adding problematic domains to above acl.
My biggest problem is the fact that I can't make skype work with the
above config. So, if I reverse sslbump logic - splice by default and
bump if needed, skype works:
---snip---
acl bump_domains dstdomain "/usr/local/etc/squid/acl/bump_domains
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump_domains
ssl_bump splice all
---snip---
In this setup skype works, but that kinda defeats main purpose of my
proxy, which is to inspect https traffic for unwanted extensions and
mime types directly in squid, and viruses with squidclamav.
Is there a way to instruct squid to splice all numeric IPs? Would it make
skype work through squid or there are additional gotchas?
Thank you in advance,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
More information about the squid-users
mailing list