[squid-users] kinda confused about Peek and Splice

Marek Serafin marek.serafin at helion.pl
Thu Sep 17 10:00:05 UTC 2015


Hello, I'm kinda confused about the "Peek and Splice" technique 
introduced in Squid 3.5.x.
----------------------
My goal is to allow CONNECT-method ONLY to certain web-pages (mainly 
banks, payment systems). The rest of https-sites should be allways bumped.
---------------------
And this can be easily achieved even in squid 3.3 (I'm talking about 
situation where browser is totally aware of using proxy server -- not 
transparent mode).

But when Squid allows CONNECT method - it allows any kind of TCP tunnel 
(e.g. OpenVPN over TCP or ssh tunnel).

So, my real question is - if it's possible - using the new technique 
(Peek and Splice) to allow Splice method - but ONLY to real HTTPS Sites 
  - not a ssh or VPN service?
(I'm still talking about the situation where browsers are aware of proxying)


I was thinking that it can be done by peeking in step 2 (peeing the 
server certificate) BUT there is a limitation: peeking at the server 
certificate usually precludes future bumping. So when we're peeking at 
step 2 we can only splice later (or terminate) - which is not what I 
wanted to achieve.



If above is not possible, what is the main advantage of "Peek and 
Splice" comparing to old method (remember: browsers are aware of proxying).
I can see advantage in transparent mode  - obtaining domain name by SNI. 
But in "normal mode" squid knows the domain-name because of the connect 
request? And knowing the domain-name we can decide what to do.

thx for any hints or explanation!

HELION SA, 44-100 Gliwice, ul. Kościuszki 1C
Numer KRS 0000121256 Sąd Rejonowy w Gliwicach,
X Wydział Gospodarczy Krajowego Rejestru Sądowego.
NIP 631-020-02-68, REGON: 271070648
Kapitał zakładowy: 500100 zł w całości wpłacony


More information about the squid-users mailing list