[squid-users] SSL Peak and Splice
Amos Jeffries
squid3 at treenet.co.nz
Wed May 13 07:25:24 UTC 2015
On 13/05/2015 6:17 a.m., Casey Daniels wrote:
> Hi,
> I've been trying to figure out how to do some web filtering on HTTPs,
> with no really good options given the layout I have. But then I just
> happened to see this feature for Squid 3.5, and was wondering if I'm
> understanding it correctly.
>
> With the Peak and Splice feature, is it possible to run squid in a
> transparent mode for SSL, and check for certain host and either deny the
> connection all together or allow the connection without further
> interference from Squid? Would this be completely transparent without
> adding a trusted certificate from the proxy server to all user devices?
Depends on how you define "host" and what the TLS ClientHello
information contains.
If you define "host" in the official standard Internet terminology (a
single machine). Then no its not possible. NAT and "load balancing"
utterly destroyed the ability to determine if the host being spoken to
is the host indicated in the packets.
Case in point is your interceptor - a completely different host to the
one the client sees in its packets. Nothing stops other interceptors
existing upstream from you.
If by "host" you actally meant FQDN or host *name*. It can be done when
and only when the TLS SNI information is made available by the client.
Amos
More information about the squid-users
mailing list