[squid-users] Squid modification to only read client SNI without bumping.

His Shadow shadowpilot34 at gmail.com
Tue Jun 8 13:31:21 UTC 2021


Could you direct me to those scripts? Also, am I understanding
correctly that in this mode:
acl blocklist dstdomain ...

ssl_bump peek all
ssl_bump splice blocklist
ssl_bump terminate all

I will only need certs to display an error page from squid via ssl,
but unblocked domains should be just fine?
I think it should be
ssl_bump splice !blocklist
Since blocklist is the list of domains that needs blocking, so we
don't need to splice them. Oh, and one more thing, wouldn't dstdomain
match something that was sent in the CONNECT request itself, instead
of the SNI in the client hello if it is present?

-- 
HisShadow


More information about the squid-users mailing list