[squid-users] Squid ACL for bypassing ssl-bump
Justin Michael Schwartzbeck
justinmschw at gmail.com
Thu Feb 25 19:07:51 UTC 2021
Hi all,
I have thus far used dstdomain acl for bypassing ssl bump on sites that we
don't want to decrypt, like banking sites. It seems to work for some sites,
but not for others.
I see the following post on this from some years back:
http://www.squid-cache.org/mail-archive/squid-users/201303/0046.html
It seems like people there are recommending use of an IP based approach to
doing this. In this case you would need a static list of IP addresses to
the sites in question.
I was thinking about this, and it seems to me that if we are using the
squid proxy with a dns server, we should be able to check the dns cache for
that IP, and find the associated hostname, and then match against that.
Does squid support this kind of a thing? If not, I was going to write an
external acl helper that does a query on a DNS cache to see if it matches a
particular domain. However, I don't want to reinvent the wheel.
Thanks,
-Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210225/d9c917d7/attachment.htm>
More information about the squid-users
mailing list