[squid-users] ssl_bump for specific dstdomain
Yuri Voinov
yvoinov at gmail.com
Thu Mar 12 15:04:22 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You only have external helper (which is must wrote yourself) in 3.4.x.
Works with domains in ssl bump fully available at least 3.5.x
12.03.15 21:01, Mukul Gandhi пишет:
> I am running squid 3.4.8 and am looking for solutions to ssl_bump
> for specific domains only. Going through the archives it is clear
> that it is not possible unless the reverse DNS points back to the
> domain that is to be ssl bumped.
>
> So then what is the solution to this problem. I just want to create
> a SSL whitelist of domains that are to be bumped and the rest
> should be tunneled through. What I have is -
>
> ssl_bump none localhost acl ssl_whitelist dstdomain
> "/tmp/ssl_whitelist.txt" ssl_bump server-first ssl_whitelist
>
> The file /tmp/ssl_whitelist.txt contains -
>
> .facebook.com .twitter.com .pintrest.com
>
> Of course, this doesn't work because the ip address for these
> websites points back to <something>.akamaitechnologies.com.
>
> All I want is to be able to decrypt just the traffic to these
> three web-sites, the rest should go through encrypted. But I
> couldn't find a solution for this anywhere in the archives. I did
> see some mention of using SslBump1/2/3 but it wasn't clear if this
> was the silver bullet. Also I would have to upgrade to 3.5 to use
> these new directives.
>
> Any idea how I can achieve this in 3.4.8 (if possible)? Or if I a
> solution exists for this in 3.5?
>
> Thanks, -Mukul
>
>
>
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJVAar2AAoJENNXIZxhPexGm5MH/0JUWgIjDrNb8+a0b66iyY+x
uWgoNnGqBKL/gzQt3AmKv3P31/3Vc8wCpMlSd3HpOSeyOtJ4pYAqI3kw1o91kkEK
YJ1wGc4FN+8sxUplA9+Kz/XDxpxTFAvS4/9d5AUOmxCoi2PmIhThozl8X8fIMdv/
7shy+Ce9kKj/ozSievVaePxdH+OUd0fmdKtDrv1aenxQpclaZSkuwEflQ3idTYBu
zTpNP3AvEP4+32yb2W+mP4p1JgHwUAi60hEz3kP9pxd+Ym2kuZeFDF5ZV2x2/cKQ
iRpmS++2kOt0nIT074PhV8dzPfD1lZt7atQT+mBJhLvzlD5Sxvxqll7Z/dpQSSI=
=P+8j
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list