[squid-users] Fwd: Squid https bump and google apps

Yuri Voinov yvoinov at gmail.com
Fri Jan 15 19:18:28 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
I see:

15/Jan/2016:21:03:22 +0600    411 127.0.0.1 TAG_NONE/200 0 CONNECT
www.google.com:443 - HIER_DIRECT/216.58.208.227 -
15/Jan/2016:21:03:23 +0600    663 127.0.0.1 TCP_MISS/200 30415 GET
https://www.google.com/search?q=Sun+2540-M2+Performance+enhancer&biw=1280&bih=699&noj=1&ei=oAmZVvnxCsW3afKevLAO&start=10&sa=N
- HIER_DIRECT/216.58.208.227 text/html
15/Jan/2016:21:03:23 +0600    356 127.0.0.1 TAG_NONE/200 0 CONNECT
ssl.gstatic.com:443 - HIER_DIRECT/178.88.163.157 -
15/Jan/2016:21:03:24 +0600    518 127.0.0.1 TCP_MISS/200 10160 GET
https://ssl.gstatic.com/gb/images/b_8d5afc09.png -
HIER_DIRECT/178.88.163.157 image/png
15/Jan/2016:21:03:24 +0600    783 127.0.0.1 TCP_MISS/200 115401 GET
https://www.google.com/xjs/_/js/k=xjs.s.ru.m-NlNEOmnHs.O/m=sx,c,sb,cdos,cr,elog,jsa,r,hsm,qsm,j,d,csi/am=kCQEAIj4Ox8EwoUwJpAYiGJx/rt=j/d=1/t=zcms/rs=ACT90oEzCEk0HVyb3zb62UPMbHxa8XdbGA
- HIER_DIRECT/216.58.208.227 text/javascript
15/Jan/2016:21:03:24 +0600    205 127.0.0.1 TCP_MISS/200 50749 GET
https://www.google.com/xjs/_/js/k=xjs.s.ru.m-NlNEOmnHs.O/m=abd,sy51,sy50,sy49,sy52,em11,async,sy3,sy143,sy419,sy420,sy5,sy28,sy421,sy454,sy1,sy455,dvl,sy54,foot,fpe,idck,ipv6,sy130,sy141,lu,m,sf,sy34,sy91,sy195,sy29,sy35,sy32,sy117,sy84,sy196,sy80,sy129,sy123,sy125,sy197,sy236,sy202,sy243,sy237,sy198,sy250,sy263,sy33,sy100,em8,em9,em7,em5,sy264,skp,sy169,sy138,sy170,sy59,sy31,sy120,sy183,sy184,sy215,sy149,sy218,sy148,sy121,sy182,sy216,sy219,sy221,sy213,spch,ssb,vm,vs,sy62,sy63,sy65,sy67,sy58,sy60,sy64,sy68,sy55,sy61,sy66,sy69,sy56,tnv,me/am=kCQEAIj4Ox8EwoUwJpAYiGJx/rt=j/d=0/t=zcms/rs=ACT90oEQCEk0HVyd1zb62UPMbHxa8XdbGA
- HIER_DIRECT/216.58.208.227 text/javascript
15/Jan/2016:21:03:25 +0600    157 127.0.0.1 TCP_MISS/200 19607 GET
https://ssl.gstatic.com/gb/js/sem_66feb97d15f5eb908984af1a9e0a4ee4.js -
HIER_DIRECT/178.88.163.157 text/javascript

:)

Possible your bump does not properly configured.

16.01.16 0:42, Lucas Castro пишет:
> Yuri,
> Now I can see, I'm really doing something wrong,
> cause I can't see the FQDN at access.log
> What can be the possible problem that I can get just IP:PORT?
>
> On 15-01-2016 15:23, Yuri Voinov wrote:
>>
>>
>>
>> 15.01.16 23:55, lucas castro пишет:
>>> Amos, Sorry for emailing right to you.
>>> ---------- Forwarded message ----------
>>> From: lucas castro <lucascastroborges at gmail.com>
>>> Date: Fri, Jan 15, 2016 at 2:54 PM
>>> Subject: Re: [squid-users] Squid https bump and google apps
>>> To: Amos Jeffries <squid3 at treenet.co.nz>
>>
>>
>>> Amos, I'm already using squid-3.5.13 with sni,
>>> the problem is, google use the same certificate for youtube.com,
>> google.com
>>> and some others.
>>> Or Am I doing something wrong?
>> Yes. SSL Bump is _not_ main ACL tool. So, use SNI as geberal ACL is
>> bad idea.
>>
>> Right way is:
>>
>> - Using bump to make FQDN visible and, next
>> - Using general ACL to access control _or_
>> - Using redirector to filter out URL's.
>>
>>
>>> On Fri, Jan 15, 2016 at 2:33 PM, Amos Jeffries
>> <squid3 at treenet.co.nz> wrote:
>>
>>>> On 16/01/2016 3:35 a.m., Lucas Castro wrote:
>>>>> I've hard worked against google applications,
>>>>> The points is, google use the same certificate for a bunch of
>> different
>>>>> apps,
>>>>> like google.com, youtube.com, drive.google.com.
>>>>> I'd like to know if someone already got terminated youtube.com and
>>>>> keep working google.com and others services.
>>>>
>>>> It is possible. Using the Squid-3.5 peek-and-splice feature with SNI
>>>> detection.
>>>>
>>>> Amos
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>
>>
>>
>>
>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWmUYEAAoJENNXIZxhPexGMfQIAIJ0W1FzSnmQuuBoHdXKzsGg
jipVSded6SpBHakHGNqiBAaT1O6r46Es5IHLKUXMuV5EIVSH61Gpl3SiT562FvYf
owJ5AZ/tajB2sYXDWL91UHP5p/mECi8yhQLG7AzLli4zVKYffoGCjqGmd6JBp+yZ
0/i5jzA51sV18fJqYLOux5d1OIG2tll5FD7S34TjeFJ+NU4oYUhE23hAZ9T+IezG
6eGEx6dUON2R4TUexZ67rmVhvs3VxJXuUnbnuKydFRBumJK8XIQgXZpAFU4WYAhI
kTP+GBS8SZUds9q4s/T6XXQAJhadwJASiBlsY1vbjV5+wcApxFuKKZ6Ua0RhtoY=
=t9uL
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160116/cf7b0be3/attachment-0001.html>


More information about the squid-users mailing list