[squid-users] Allow some domains to bypass Squid
Alex Crow
alex at nanogherkin.com
Sun Mar 11 15:48:35 UTC 2018
.
>>
>>
>> The alternative for ssl-bump is the splice action. For that you only
>> need to know the server names each company uses.
>
OP,
It would be a lot easier to just create exceptions on the squid device
for sites where bumping doesn't work which cause then to be tunnelled or
spliced rather then bumped. You can then at least use dstdomain or
ssl:servername rules. dstdomain will let you tunnel or splice, whereas
ssl servername you will only be able to splice as an SSL connection must
already have been started AFAIK. Your firewall will probably need
restarting every time one of the IP addresses behind those hostnames
changes. Squid will at least do a lookup every request for dstdomain
(you need a good DNS server nearby or on the squid box).
BTW, peek/splice/bump is not just install and forget. It needs
maintenance and care in deployment.
Adding transparent into the mix makes it more difficult, as I can see
you have found.
Try to keep the architecture as simple as you can and use each part to
its best ability. Simple firewalls using hostnames for rules is a path
to severe pain where round-robin is in place. Might be OK with a big,
expensive FW appliance that has the ability to DNS lookup for every
connection.
Cheers
Alex
More information about the squid-users
mailing list