[squid-users] Peek and splice where SNI not present

washuu rst at fomar.com.pl
Sat Oct 5 02:34:00 UTC 2019


Hi, 

I'm using Squid 3.5.27, and I want to filter some HTTPS traffic, based on
the hostnames. 

my ssl-related config is as follows: 

acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
acl global_https_dst_allow ssl::server_name
"/chroot/squid/etc/squid/global_dst_whitelist"
ssl_bump splice step2 global_https_dst_allow
ssl_bump terminate step2 proxyclients
http_access allow SSL_ports
http_access allow proxyclients
http_access deny all

Now I see, that several SSL clients do NOT send SNI hostname in the Client
Hello message, and what I got is denied access, with the following entry in
the log: 

1570241666.136      5 192.168.3.99 TAG_NONE/200 0 CONNECT 52.202.211.224:443
- HIER_NONE/- - -

I have two questions then: 

1) For such cases, is there a possibility to filter traffic based on
certificate provided by the Server Hello (instead of SNI from Client Hello)
in step3? 
2) Is there a way, to allow (by additional ACL rule, perhaps) traffic
without SNI field set? so actually I would be filtering OUT only the
sessions where SNI was present, but the hostname did not match my whitelist. 

Best regards, 

Washuu K.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list