<font face="Arial" color="#000000">Hi</font><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000">Thanks Marcus</font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000">I have been hacking my own branch of Squidguard so I can add support for the SNI (I hope)</font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000">How would I get the peek SNI output to the url_rewriter?</font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000">I am a bit of a peek new comer.</font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000">Sounds like there is some hope and a possible way forward.</font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000">regards</font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000">Darren B.</font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000"><br></font></div><div><font face="Arial" color="#000000"><br></font><font face="Arial" color="#000000"><div><br></div><div class="mb_sig">Sent from <a href="http://www.getmailbird.com/?utm_source=Mailbird&utm_medium=email&utm_campaign=sent-from-mailbird" target="_blank">Mailbird</a></div></font><blockquote class="history_container" type="cite" style="border-left-style:solid;border-width:1px; margin-top:20px; margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;">On 9/01/2016 5:46:36 PM, Marcus Kool <marcus.kool@urlfilterdb.com> wrote:</p><br><br>On 01/09/2016 05:07 AM, Darren wrote:<br>> Hi<br>><br>> I am trying to hack squidguard to allow me to redirect users attempts to connect to blocked https enabled sites.<br>><br>> Some sites are allowed and the bulk are not. Currently I can see the Connect details being handed to SG for processing and if I change this to return a redirect to make it point to a different server<br>> it breaks and gives me an SSL error (as would be expected)<br><br>indeed, "as expected"...<br>The HTTP protocol supportly support redirection of URL by sending a 30x status code back to he browser.<br>HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the channel and<br>explicitly is designed not to be tampered with. So redirecting a channel to an other website<br>always will cause a certificate error, unless ...<br> 1) one uses ssl-bump<br> 2) installs the Squid fake CA certificate in all browsers<br> 3) one has a policy for the other protocols (e.g. Skype) that use CONNECT<br><br>> Is there a way I can get this redirection call to squidguard happened earlier in squid before it gets this far down the CONNECT process? Or is there something that I can return from Squidguard that<br>> would make this work? I notice that the connect attempts are always just the IP address, so something earlier in the processing is doing a reverse DNS lookup, is this the Browser of Squid and if so<br>> can I get in earlier during the process?<br><br>The above implies that you use Squid in interception mode where it initially can only see the IP address of the server.<br>In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL redirector that can cope with the SNI <br>parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in February.<br><br>Marcus<br><br>><br>> I want to maintain the various lists in just squidguard and not put in ACLs in squid.conf<br>><br>> thanks<br>><br>> Darren B.<br>_______________________________________________<br>squid-users mailing list<br>squid-users@lists.squid-cache.org<br>http://lists.squid-cache.org/listinfo/squid-users<br>
</blockquote>
</div>