[squid-users] Peek and splice where SNI not present
washuu
rst at fomar.com.pl
Sat Oct 5 02:34:00 UTC 2019
Hi,
I'm using Squid 3.5.27, and I want to filter some HTTPS traffic, based on
the hostnames.
my ssl-related config is as follows:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
acl global_https_dst_allow ssl::server_name
"/chroot/squid/etc/squid/global_dst_whitelist"
ssl_bump splice step2 global_https_dst_allow
ssl_bump terminate step2 proxyclients
http_access allow SSL_ports
http_access allow proxyclients
http_access deny all
Now I see, that several SSL clients do NOT send SNI hostname in the Client
Hello message, and what I got is denied access, with the following entry in
the log:
1570241666.136 5 192.168.3.99 TAG_NONE/200 0 CONNECT 52.202.211.224:443
- HIER_NONE/- - -
I have two questions then:
1) For such cases, is there a possibility to filter traffic based on
certificate provided by the Server Hello (instead of SNI from Client Hello)
in step3?
2) Is there a way, to allow (by additional ACL rule, perhaps) traffic
without SNI field set? so actually I would be filtering OUT only the
sessions where SNI was present, but the hostname did not match my whitelist.
Best regards,
Washuu K.
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list