[squid-users] SSL Peak and Splice
Amos Jeffries
squid3 at treenet.co.nz
Thu May 14 04:37:19 UTC 2015
On 14/05/2015 10:47 a.m., Casey Daniels - mailinglist wrote:
>> On May 13, 2015 at 3:25 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>
>>
>> On 13/05/2015 6:17 a.m., Casey Daniels wrote:
>>> Hi,
>>> I've been trying to figure out how to do some web filtering on HTTPs,
>>> with no really good options given the layout I have. But then I just
>>> happened to see this feature for Squid 3.5, and was wondering if I'm
>>> understanding it correctly.
>>>
>>> With the Peak and Splice feature, is it possible to run squid in a
>>> transparent mode for SSL, and check for certain host and either deny the
>>> connection all together or allow the connection without further
>>> interference from Squid? Would this be completely transparent without
>>> adding a trusted certificate from the proxy server to all user devices?
>>
>> Depends on how you define "host" and what the TLS ClientHello
>> information contains.
>>
>> If you define "host" in the official standard Internet terminology (a
>> single machine). Then no its not possible. NAT and "load balancing"
>> utterly destroyed the ability to determine if the host being spoken to
>> is the host indicated in the packets.
>> Case in point is your interceptor - a completely different host to the
>> one the client sees in its packets. Nothing stops other interceptors
>> existing upstream from you.
>>
>> If by "host" you actally meant FQDN or host *name*. It can be done when
>> and only when the TLS SNI information is made available by the client.
>>
>> Amos
>>
>
> Yes the second option, not the particular machine, but the FQDN
> (i.e.<http://www.cooking.com> )
# get TLS SNI details etc
ssl_bump peek all
# some get rejected
acl blocked ssl:server_name .example.com
ssl_bump reject blocked
# the rest allowed without decrypting
ssl_bump splice all
> When is the TLS SNI information made available by the client?
They send it or they dont. Nothign you or we can do about it.
Amos
More information about the squid-users
mailing list