[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

Yuri Voinov yvoinov at gmail.com
Wed Sep 23 11:10:28 UTC 2015



23.09.15 17:07, Matus UHLAR - fantomas пишет:
> Hello,
>
>>>> On 17.09.15 18:47, Yuri Voinov wrote:
>>>>> acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* 
>>>>> kaspi\.kz
>>>>> ssl_bump splice NoSSLIntercept
>>>
>>>>> # Privoxy+Tor access rules
>>>>> never_direct allow tor_url
>>>
>>>>> cache_peer_access 127.0.0.1 allow tor_url
>
>>> 18.09.15 21:22, Matus UHLAR - fantomas пишет:
>>>> I wonder if the never_direct and cache_peer_access should not use 
>>>> the same
>>>> acl as "ssl_bump splice".
>
> On 20.09.15 20:59, Amos Jeffries wrote:
>> Maybe for values but ssl::server_name ACL may not work outside ssl_bump.
>>
>> It might, or it might not be usable by the other *_access rules and
>> depends on whether the matching decisions for those rule sets is the
>> same for the ssl_bump ones. That latter condition is a big 'IF'.
>
> I wonder how does this match. The SNI should be only seen when the https
> connection is received, either by intercepting https or client using 
> HTTPS
> to connect proxy. on unintercepted HTTP port that received CONNECT 
> request,
> it would only see the CONNECT string, e.g. "CONNECT kaspi.kz:443", 
> correct?
About SNI - not fact. When I completely turn off SSL bump, this looks 
like the same. Also, testing server is non-interception proxy, just 
forwarding.



More information about the squid-users mailing list