[squid-users] Allow some domains to bypass Squid

Yuri yvoinov at gmail.com
Sun Mar 11 18:44:34 UTC 2018 

Alex would like to say, splice, when implemented, more easy to
maintenance than iptables/firewall rules.

It's trivial to implement. Here is my config snippet:

# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/acl.url.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

acl.ur.nobump fragment:

# Adobe updates (web installation)
# This requires to splice due to SSL-pinned web-downloader
(get|platformdl|fpdownload|ardownload[0-9])\.adobe\.com
....

As Alex said, splice list require to maintenance all time.

Common rule is:

- Each SSL Pinning site must be spliced.

- Each OCSP stapling site must be spliced.

- Each site could not be bumped should spliced.

Feel free to make RTFM first:

https://wiki.squid-cache.org/Features/SslPeekAndSplice


12.03.2018 00:39, Nicolas Kovacs пишет:
> Le 11/03/2018 à 16:48, Alex Crow a écrit :
>> It would be a lot easier to just create exceptions on the squid device
>> for sites where bumping doesn't work which cause then to be tunnelled or
>> spliced rather then bumped. You can then at least use dstdomain or
>> ssl:servername rules. dstdomain will let you tunnel or splice, whereas
>> ssl servername you will only be able to splice as an SSL connection must
>> already have been started AFAIK. Your firewall will probably need
>> restarting every time one of the IP addresses behind those hostnames
>> changes. Squid will at least do a lookup every request for dstdomain
>> (you need a good DNS server nearby or on the squid box).
> What would this configuration look like? Do you have a working example?
>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180312/4ba3442b/attachment.sig>

More information about the squid-users mailing list