[squid-users] ssl_bump for specific dstdomain

Mukul Gandhi mukulg at gwmail.gwu.edu
Thu Mar 12 15:01:51 UTC 2015


I am running squid 3.4.8 and am looking for solutions to ssl_bump for
specific domains only. Going through the archives it is clear that it is
not possible unless the reverse DNS points back to the domain that is to be
ssl bumped.

So then what is the solution to this problem. I just want to create a SSL
whitelist of domains that are to be bumped and the rest should be tunneled
through. What I have is -

ssl_bump none localhost
acl ssl_whitelist dstdomain "/tmp/ssl_whitelist.txt"
ssl_bump server-first ssl_whitelist

The file /tmp/ssl_whitelist.txt contains -

.facebook.com
.twitter.com
.pintrest.com

Of course, this doesn't work because the ip address for these websites
points back to <something>.akamaitechnologies.com.

All I want is to be able to decrypt just the traffic to these three
web-sites, the rest should go through encrypted. But I couldn't find a
solution for this anywhere in the archives. I did see some mention of using
SslBump1/2/3 but it wasn't clear if this was the silver bullet. Also I
would have to upgrade to 3.5 to use these new directives.

Any idea how I can achieve this in 3.4.8 (if possible)? Or if I a solution
exists for this in 3.5?

Thanks,
-Mukul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150312/d743a42b/attachment.html>


More information about the squid-users mailing list