[squid-users] ssl_bump and SNI
Amos Jeffries
squid3 at treenet.co.nz
Wed May 20 10:51:55 UTC 2015
On 20/05/2015 8:22 p.m., sp_ wrote:
> Hello Amos,
>
> I still get IP-addresses instead of domain names:
>
That appears to be because the request are just denied. Not peeked or
spliced.
When a new TCP connection is intercepted Squid starts with only the IP
address. Generates a fake CONNECT request from that detail, and checks
http_access for whether to allow/deny that connection. Only if that is
allowed will bumping checks begin to take place - during which SNI
becomes available.
It seems to me that your http_access logic is actively denying the
initial CONNECT request when only IP is known.
Amos
More information about the squid-users
mailing list