[squid-users] Squid ACL for bypassing ssl-bump

Alex Rousskov rousskov at measurement-factory.com
Thu Feb 25 20:57:00 UTC 2021


On 2/25/21 2:07 PM, Justin Michael Schwartzbeck wrote:

> I have thus far used dstdomain acl for bypassing ssl bump on sites that
> we don't want to decrypt, like banking sites. It seems to work for some
> sites, but not for others.

Yes, many HTTPS transactions do not expose destination domain until it
is too late to decide whether to bump them, and reverse DNS lookups are
often unreliable.


> I was thinking about this, and it seems to me that if we are using the
> squid proxy with a dns server, we should be able to check the dns cache
> for that IP, and find the associated hostname, and then match against that.

When you use dstdomain, Squid will do a (reverse) DNS query for you as
necessary (including DNS cache lookups) unless you specify a -n option
that is documented to disable all such operations.


In many cases, you should be using ssl::server_name instead of dstdomain
or dst ACL, but you may have to use a combination of various ACLs to
cover all the cases you care about.


HTH,

Alex.



More information about the squid-users mailing list