[squid-users] ssl_bump for specific dstdomain
Mukul Gandhi
mukulg at gwmail.gwu.edu
Thu Mar 12 20:37:44 UTC 2015
On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You only have external helper (which is must wrote yourself) in 3.4.x.
>
>
Are there any examples that I can look at to implemented this external
helper for doing selective ssl_bumps. And what would this helper script do
anyways? All we have is the destination IP address which is not really
going to give us the actual HTTP hostname.
> Works with domains in ssl bump fully available at least 3.5.x
>
Does the 3.5.x implementation decrypt the whole payload and then do the
ssl_bump? The "peek" option seems to imply that only the HTTP headers are
peeked at.
I guess what I am asking is, is there any way we can do this without
actually decrypting the payload?
>
> 12.03.15 21:01, Mukul Gandhi пишет:
> > I am running squid 3.4.8 and am looking for solutions to ssl_bump
> > for specific domains only. Going through the archives it is clear
> > that it is not possible unless the reverse DNS points back to the
> > domain that is to be ssl bumped.
> >
> > So then what is the solution to this problem. I just want to create
> > a SSL whitelist of domains that are to be bumped and the rest
> > should be tunneled through. What I have is -
> >
> > ssl_bump none localhost acl ssl_whitelist dstdomain
> > "/tmp/ssl_whitelist.txt" ssl_bump server-first ssl_whitelist
> >
> > The file /tmp/ssl_whitelist.txt contains -
> >
> > .facebook.com .twitter.com .pintrest.com
> >
> > Of course, this doesn't work because the ip address for these
> > websites points back to <something>.akamaitechnologies.com.
> >
> > All I want is to be able to decrypt just the traffic to these
> > three web-sites, the rest should go through encrypted. But I
> > couldn't find a solution for this anywhere in the archives. I did
> > see some mention of using SslBump1/2/3 but it wasn't clear if this
> > was the silver bullet. Also I would have to upgrade to 3.5 to use
> > these new directives.
> >
> > Any idea how I can achieve this in 3.4.8 (if possible)? Or if I a
> > solution exists for this in 3.5?
> >
> > Thanks, -Mukul
> >
> >
> >
> > _______________________________________________ squid-users mailing
> > list squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJVAar2AAoJENNXIZxhPexGm5MH/0JUWgIjDrNb8+a0b66iyY+x
> uWgoNnGqBKL/gzQt3AmKv3P31/3Vc8wCpMlSd3HpOSeyOtJ4pYAqI3kw1o91kkEK
> YJ1wGc4FN+8sxUplA9+Kz/XDxpxTFAvS4/9d5AUOmxCoi2PmIhThozl8X8fIMdv/
> 7shy+Ce9kKj/ozSievVaePxdH+OUd0fmdKtDrv1aenxQpclaZSkuwEflQ3idTYBu
> zTpNP3AvEP4+32yb2W+mP4p1JgHwUAi60hEz3kP9pxd+Ym2kuZeFDF5ZV2x2/cKQ
> iRpmS++2kOt0nIT074PhV8dzPfD1lZt7atQT+mBJhLvzlD5Sxvxqll7Z/dpQSSI=
> =P+8j
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150312/58bc188a/attachment.html>
More information about the squid-users
mailing list