[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
Amos Jeffries
squid3 at treenet.co.nz
Sun Sep 20 08:59:32 UTC 2015
On 19/09/2015 4:48 a.m., Yuri Voinov wrote:
>
> 18.09.15 21:22, Matus UHLAR - fantomas пишет:
>> from earlier e-mail:
>
>>> acl tor_url url_regex "C:/Squid/etc/squid/url.tor"
>
>> On 17.09.15 18:47, Yuri Voinov wrote:
>>> acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz
>>> ssl_bump splice NoSSLIntercept
>
>>> # Privoxy+Tor access rules
>>> never_direct allow tor_url
>
>>> cache_peer_access 127.0.0.1 allow tor_url
>
>> I wonder if the never_direct and cache_peer_access should not use the same
>> acl as "ssl_bump splice".
Maybe for values but ssl::server_name ACL may not work outside ssl_bump.
It might, or it might not be usable by the other *_access rules and
depends on whether the matching decisions for those rule sets is the
same for the ssl_bump ones. That latter condition is a big 'IF'.
>> Also, the regex \.icq\.* will apparently never match, there should be
> "\.icq\..*" or simply "\.icq\."
> This match ICQ.COM HTTP over 443 port.
No. "icq.com" does not contain the string ".icq" (not the initial '.').
It will match any SNI, CONNECT URI, or server certificate SubjectAltName
field containing the string ".icq" or ".icq.".
... but not the plain name "icq.com".
To match "icq.com" and all its sub-domain requests (ie. regex equivalent
of "dstdomain .icq.com") the correct regex is:
(.*\.)?icq\.com$
>
>> ...regex should match inside the server_name, correct?
>> in such case apparently kaspi\.kz should be "kaspi\.kz$"
> no. This must match kaspi\.ks.*
> And this match.
Correct, assuming the 's'/'z' difference was a typo.
Amos
More information about the squid-users
mailing list