[squid-users] Allow some domains to bypass Squid

Alex Crow alex at nanogherkin.com
Sun Mar 11 15:48:35 UTC 2018


.
>> 
>> 
>> The alternative for ssl-bump is the splice action. For that you only
>> need to know the server names each company uses.
> 

OP,

It would be a lot easier to just create exceptions on the squid device 
for sites where bumping doesn't work which cause then to be tunnelled or 
spliced rather then bumped. You can then at least use dstdomain or 
ssl:servername rules. dstdomain will let you tunnel or splice, whereas 
ssl servername you will only be able to splice as an SSL connection must 
already have been started AFAIK. Your firewall will probably need 
restarting every time one of the IP addresses behind those hostnames 
changes. Squid will at least do a lookup every request for dstdomain 
(you need a good DNS server nearby or on the squid box).

BTW, peek/splice/bump is not just install and forget. It needs 
maintenance and care in deployment.

Adding transparent into the mix makes it more difficult, as I can see 
you have found.

Try to keep the architecture as simple as you can and use each part to 
its best ability. Simple firewalls using hostnames for rules is a path 
to severe pain where round-robin is in place. Might be OK with a big, 
expensive FW appliance that has the ability to DNS lookup for every 
connection.

Cheers

Alex




More information about the squid-users mailing list