[squid-users] ssl-bump and accel

Nir Krakowski nir.kra at gmail.com
Sun Jan 10 09:26:29 UTC 2016


1. You're forgetting I only refer specific traffic using /etc/hosts to
squid.
2. What do you suggest ? I want to use the SNI as the direction of the
traffic, not the forwarded IP address.

On Sun, Jan 10, 2016 at 6:30 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 9/01/2016 7:48 a.m., Nir Krakowski wrote:
> > This is what needs to be done to get it to work in squid >3.5 in function
> > ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const
> > Dns::LookupDetails &dns):
> >
>
> Hell NO!!!!
>
> clientConn is the state data about the TCP connection the message
> arrived on. HTTP and SSL-Bump in no way alter the reality of what
> src/dst IPs those TCP packets contain.
>
> There may be a bug needing a fix, but it absolutely is not that patch.
>
>
> By applying that patch you are allowing a remote sender to both bypass
> all your Squid protections, and any network firewall security you may
> have external to Squid. While simultaneously recording in your Squid
> logs any value of its choosing for the destination IPs of its attack
> traffic.
>
> Amos
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160110/a24ea8dd/attachment.html>


More information about the squid-users mailing list