[squid-users] regex for normal websites
ngtech1ltd at gmail.com
ngtech1ltd at gmail.com
Tue Aug 2 12:05:02 UTC 2022
I believe it should have been:
^adobe\.com$
^.*\.adobe\.com$
^\*\.adobe\.com$
But I don’t know the code to this depth.
If I would have written the match I think it would have been something a bit different.
* A match for SNI
* A joker match for SAN ie *.adobe.com SAN should catch both www.www.adobe.com <http://www.www.adobe.com>
But for some reason it’s not like that, I assume the browsers and the libraries doesn’t implement it for an unknown reason.
If Alex or anyone else from Factory knows the details of the ACL they can answer more then me.
Thanks,
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
From: robert k Wild <robertkwild at gmail.com>
Sent: Tuesday, 2 August 2022 14:51
To: Eliezer Croitoru <ngtech1ltd at gmail.com>
Cc: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] regex for normal websites
thanks Eliezer
so it should be
adobe\.com
not
.adobe.\com or
^.*adobe.com <http://adobe.com>
as the ^.* could include
blahadobe.com <http://blahadobe.com>
On Thu, 28 Jul 2022 at 08:14, <ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com> > wrote:
Hey Robert,
The docs at http://www.squid-cache.org/Doc/config/acl/ states:
acl aclname ssl::server_name_regex [-i] \.foo\.com ...
# regex matches server name obtained from various sources [fast]
Which and I do not know exactly what it means but it will not work with a helper in most cases.
I have found the in the git the next sources:
https://github.com/squid-cache/squid/blob/bf95c10aa95bf8e56d9d8d1545cb5a3aafab0d2c/doc/release-notes/release-3.5.sgml#L414
New types ssl::server_name and ssl::server_name_regex
to match server name from various sources (CONNECT authority name,
TLS SNI domain, or X.509 certificate Subject Name).
Which means that there is a set of checks which the acl does and not just a domain name.
It’s also even possible that the domain name is not know in the CONNECT state of the connection.
If I remember correctly there is a possibility for browsers to use the same exact connection for multiple domains but
I have not seen this yet in production.
With Squid once you bump the connection to HTTP/1.x you can make 100% sure the features of the Host header request.
At Servername.cc ie:
https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b4ef5688a0/src/acl/ServerName.cc#L81
There is a specific logic of what is done and what is matched but I am not sure what would be used in the case of:
*.adobe.com <http://adobe.com>
Certificate SAN.
Specifically This part of the Common Names ie SAN:
https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b4ef5688a0/src/acl/ServerName.cc#L105
which to my understanding points to:
https://github.com/squid-cache/squid/blob/d146da3bfe7083381ae7ab38640cbfd0d2542374/src/ssl/support.cc#L195
doesn’t make any sense to me.( didn’t tried that much to understand)
If someone might be able to make sense of things in a synchronic fashion it would help.
(I do not see any debugs usage there or any helping comment )
Thanks,
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
From: squid-users <squid-users-bounces at lists.squid-cache.org <mailto:squid-users-bounces at lists.squid-cache.org> > On Behalf Of robert k Wild
Sent: Wednesday, 27 July 2022 13:52
To: Squid Users <squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org> >
Subject: Re: [squid-users] regex for normal websites
that's the weird thing, when i try this in "ssl::server_name_regex"
.adobe.com <http://adobe.com>
it doesnt work
you mean escape ie the \ character
On Wed, 27 Jul 2022 at 11:05, Matus UHLAR - fantomas <uhlar at fantomas.sk <mailto:uhlar at fantomas.sk> > wrote:
On 27.07.22 10:54, robert k Wild wrote:
>think i got it right but just want to double check with you guys
>
>so in my "ssl::server_name" i had
>.adobe.com <http://adobe.com>
>
>that worked but i want to mix normal website and regex websites together so
>i just have one list for all
didn't the above work? AFAIK it should, IIRC domain matching in squid
matches "domain.com <http://domain.com> " if you check for ".domain.com <http://domain.com> ".
>i now have this for "ssl::server_name_regex"
>^.*adobe.com <http://adobe.com> $
>
>it works, so im guessing its right
the dot should be escaped
--
Matus UHLAR - fantomas, uhlar at fantomas.sk <mailto:uhlar at fantomas.sk> ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Robert K Wild.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220802/1b261564/attachment-0001.htm>
More information about the squid-users
mailing list