[squid-users] Strange Squid SSL Interception Behavior
Amos Jeffries
squid3 at treenet.co.nz
Tue Aug 25 07:16:59 UTC 2020
On 25/08/20 1:09 pm, Mathew Brown wrote:
> Thanks but even with the --no-check-certificate option and using a bump
> instead of splicing, it still fails as shown above unless I add the
> localnet rule. The question is: why does the same ACL line:
>
> http_access allow whitelist
>
> suddenly work when I add an unrelated ACL line after it (http_access
> allow localnet)? Why does it correctly determine the domain httpbin.org
> in the later case as shown by cache.log?
>
The email from Alex Alex you are replying to already answers both those
questions completely.
> *From:* Alex Rousskov
...
>
> The rules above only allow CONNECT requests to .httpbin.org domains.
>
> During step1, when Squid intercepts a TLS connection to an IP address of
> an .httpbin.org domain, Squid http_access rules are applied to a (fake)
> CONNECT request to the destination IP address. There are no domain names
> at that TCP-level bumping stage. Thus, you place your Squid at the mercy
> of reverse DSN lookups.
>
> In my environment, reverse DNS does not work for httpbin.org the way you
> may expect:
>
>> $ host 54.236.246.173
>> 173.246.236.54.in-addr.arpa domain name pointer ec2-54-236-246-173.compute-1.amazonaws.com.
>
> The above AWS domain name does not match your whitelist ACLs, of course,
> and, hence, the fake CONNECT request is denied.
Amos
More information about the squid-users
mailing list