[squid-users] SSL Peak and Splice
Casey Daniels - mailinglist
mailinglist at cd.kcfam.net
Wed May 13 22:47:31 UTC 2015
> On May 13, 2015 at 3:25 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>
> On 13/05/2015 6:17 a.m., Casey Daniels wrote:
> > Hi,
> > I've been trying to figure out how to do some web filtering on HTTPs,
> > with no really good options given the layout I have. But then I just
> > happened to see this feature for Squid 3.5, and was wondering if I'm
> > understanding it correctly.
> >
> > With the Peak and Splice feature, is it possible to run squid in a
> > transparent mode for SSL, and check for certain host and either deny the
> > connection all together or allow the connection without further
> > interference from Squid? Would this be completely transparent without
> > adding a trusted certificate from the proxy server to all user devices?
>
> Depends on how you define "host" and what the TLS ClientHello
> information contains.
>
> If you define "host" in the official standard Internet terminology (a
> single machine). Then no its not possible. NAT and "load balancing"
> utterly destroyed the ability to determine if the host being spoken to
> is the host indicated in the packets.
> Case in point is your interceptor - a completely different host to the
> one the client sees in its packets. Nothing stops other interceptors
> existing upstream from you.
>
> If by "host" you actally meant FQDN or host *name*. It can be done when
> and only when the TLS SNI information is made available by the client.
>
> Amos
>
Yes the second option, not the particular machine, but the FQDN
(i.e.<http://www.cooking.com> )
When is the TLS SNI information made available by the client?
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150513/dd1ba705/attachment.html>
More information about the squid-users
mailing list