<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:145711044;
mso-list-type:hybrid;
mso-list-template-ids:-1183563204 865892564 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hey Ben,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have seen your email however didn’t had enough time to respond.<o:p></o:p></p><p class=MsoNormal>I and others need some free time…<o:p></o:p></p><p class=MsoNormal>I am more then willing to test this issue in my local test environment.<o:p></o:p></p><p class=MsoNormal>I can test it on Oracle Enterprise Linux 8 with the latest 4.x version.<o:p></o:p></p><p class=MsoNormal>We can simplify things by creating a very specific environment without any unknowns.<o:p></o:p></p><p class=MsoNormal>You will need to provide the full details of the testing setup and the content of:<o:p></o:p></p><p class=MsoNormal>acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/url-no-bump"<br>acl NoSSLInterceptRegexp ssl::server_name_regex -i "/usr/local/squid/etc/url-no-bump-regexp"<br><br><o:p></o:p></p><p class=MsoNormal>In my environment it works as expected without any issues while I am not user ssl::server_name_regex<o:p></o:p></p><p class=MsoNormal>The docs clearly state:<o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> acl aclname ssl::server_name_regex [-i] \.foo\.com ...<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> # regex matches server name obtained from various sources [fast]<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So you should try to use:<o:p></o:p></p><pre> acl aclname ssl::server_name [option] .foo.com ...<o:p></o:p></pre><pre> # matches server name obtained from various sources [fast]<o:p></o:p></pre><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Instead as a starter point.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I understand you need some help but I and others have other obligations in life so it would happen from time to time<o:p></o:p></p><p class=MsoNormal>that someone is not free to try and help you.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>All The Bests,<o:p></o:p></p><p class=MsoNormal>Eliezer<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'>If someone would have provided me with enough food and other living expenses I might have been free enough to help you.<span lang=HE dir=RTL><o:p></o:p></span></li></ul><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>----<o:p></o:p></p><p class=MsoNormal>Eliezer Croitoru<o:p></o:p></p><p class=MsoNormal>NgTech, Tech Support<o:p></o:p></p><p class=MsoNormal>Mobile: +972-5-28704261<o:p></o:p></p><p class=MsoNormal>Email: <a href="mailto:ngtech1ltd@gmail.com">ngtech1ltd@gmail.com</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> squid-users <squid-users-bounces@lists.squid-cache.org> <b>On Behalf Of </b>Ben Goz<br><b>Sent:</b> Thursday, February 17, 2022 14:47<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> Re: [squid-users] Splice certain SNIs which served by the same IP<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>By the help of God.<o:p></o:p></p></div><div><p class=MsoNormal>Any insights?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Ben<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal dir=RTL style='text-align:right;direction:rtl;unicode-bidi:embed'><span dir=RTL></span><span dir=RTL></span><span lang=HE><span dir=RTL></span><span dir=RTL></span>בתאריך יום ב׳, 14 בפבר׳ 2022 ב-15:49 מאת </span><span dir=LTR>Ben Goz</span><span dir=RTL></span><span dir=RTL></span><span lang=HE><span dir=RTL></span><span dir=RTL></span> <<a href="mailto:ben.goz87@gmail.com"><span lang=EN-US dir=LTR>ben.goz87@gmail.com</span></a>>:</span><span dir=LTR><o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal>By the help of God.<span lang=HE dir=RTL><o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Hi,<o:p></o:p></p></div><div><p class=MsoNormal>Ny squid version is 4.15, using it on tproxy configuration.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm using ssl bump to intercept https connection, but I want to splice several domains.<o:p></o:p></p></div><div><p class=MsoNormal>I have a problem that when I'm splicing some google domains eg. <a href="http://youtube.com" target="_blank">youtube.com</a> then<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://gmail.com" target="_blank">gmail.com</a> domain also spliced.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I know that it is very common for google servers to host multiple domains on single server.<o:p></o:p></p></div><div><p class=MsoNormal>And I suspect that when I'm splicing for example <a href="http://youtube.com" target="_blank">youtube.com</a> it'll also splices <a href="http://google.com" target="_blank">google.com</a>.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> Here are my squid configurations for the ssl bump:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>https_port xxxx ssl-bump tproxy generate-host-certificates=on options=ALL dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl_cert/myCA.pem dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA<br><br>acl DiscoverSNIHost at_step SslBump1<br><br>acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/url-no-bump"<br>acl NoSSLInterceptRegexp ssl::server_name_regex -i "/usr/local/squid/etc/url-no-bump-regexp"<br>ssl_bump splice NoSSLInterceptRegexp_always<br>ssl_bump splice NoSSLIntercept<br>ssl_bump splice NoSSLInterceptRegexp<br>ssl_bump peek DiscoverSNIHost<br>ssl_bump bump all<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></blockquote></div></div></body></html>