[squid-users] Squid Version 3.5.20
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 27 17:09:10 UTC 2017
On 28/06/17 03:46, Cherukuri, Naresh wrote:
> Hi,
>
> Thank You for quick turnover, as per your request I changed squid config
> like below, still I going to www.google.com
>
> acl CONNECT method CONNECT
>
> acl sslconnect dstdomain -i https://www.google.com
>
> acl GoogleRecaptcha url_regex ^https://www.google.com/recaptcha/$
>
> http_access allow CONNECT sslconnect
>
Er. That will never work.
* Firstly because "https://..." are not valid dstdomain values.
* Secondly because as the CONNECT message uses an authority-form URL
structure, not an absolute-form URL.
Your Squid will simply not see the https:// URL unless you are
decrypting the TLS tunnel inside the CONNECT payload. That means
SSL-Bump functionality is mandatory for what you are attempting to do.
Also, be aware that Google services are using HSTS and certificate
pinning. So SSL-Bump is much more likely not to work for their URLs.
Amos
More information about the squid-users
mailing list