[squid-users] regex for normal websites

Antony Stone Antony.Stone at squid.open.source.it
Tue Aug 2 12:18:05 UTC 2022 

On Tuesday 02 August 2022 at 14:14:58, robert k Wild wrote:

> ok i have tested and this works
> 
> adobe\.com$
> 
> i found it weird this didnt work
> 
> \.adobe\.com
> 
> just curious thats all

Please define "works" and "didn't work" - I've pretty much lost track of 
exactly what you want to match here :(


Antony.

> On Tue, 2 Aug 2022 at 13:05, <ngtech1ltd at gmail.com> wrote:
> > I believe it should have been:
> > 
> > ^adobe\.com$
> > 
> > ^.*\.adobe\.com$
> > 
> > ^\*\.adobe\.com$
> > 
> > 
> > 
> > But I don’t know the code to this depth.
> > 
> > If I would have written the match I think it would have been something a
> > bit different.
> > 
> >    - A match for SNI
> >    - A joker match for SAN ie *.adobe.com SAN should catch both
> >    www.www.adobe.com
> > 
> > But for some reason it’s not like that, I assume the browsers and the
> > libraries doesn’t implement it for an unknown reason.
> > 
> > 
> > 
> > If Alex or anyone else from Factory knows the details of the ACL they can
> > answer more then me.
> > 
> > 
> > 
> > Thanks,
> > 
> > Eliezer
> > 
> > 
> > 
> > ----
> > 
> > Eliezer Croitoru
> > 
> > NgTech, Tech Support
> > 
> > Mobile: +972-5-28704261
> > 
> > Email: ngtech1ltd at gmail.com
> > 
> > Web: https://ngtech.co.il/
> > 
> > My-Tube: https://tube.ngtech.co.il/
> > 
> > 
> > 
> > *From:* robert k Wild <robertkwild at gmail.com>
> > *Sent:* Tuesday, 2 August 2022 14:51
> > *To:* Eliezer Croitoru <ngtech1ltd at gmail.com>
> > *Cc:* Squid Users <squid-users at lists.squid-cache.org>
> > *Subject:* Re: [squid-users] regex for normal websites
> > 
> > 
> > 
> > thanks Eliezer
> > 
> > 
> > 
> > so it should be
> > 
> > 
> > 
> > adobe\.com
> > 
> > 
> > 
> > not
> > 
> > 
> > 
> > .adobe.\com or
> > 
> > 
> > 
> > ^.*adobe.com
> > 
> > 
> > 
> > as the ^.* could include
> > 
> > 
> > 
> > blahadobe.com
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Thu, 28 Jul 2022 at 08:14, <ngtech1ltd at gmail.com> wrote:
> > 
> > Hey Robert,
> > 
> > The docs at http://www.squid-cache.org/Doc/config/acl/  states:
> >         acl aclname ssl::server_name_regex [-i] \.foo\.com ...
> >         
> >           # regex matches server name obtained from various sources
> >           [fast]
> > 
> > Which and I do not know exactly what it means but it will not work with a
> > helper in most cases.
> > 
> > I have found the in the git the next sources:
> > 
> > 
> > https://github.com/squid-cache/squid/blob/bf95c10aa95bf8e56d9d8d1545cb5a3
> > aafab0d2c/doc/release-notes/release-3.5.sgml#L414
> > 
> >                 New types ssl::server_name  and ssl::server_name_regex
> >                 
> >                    to match server name from various sources (CONNECT
> > 
> > authority name,
> > 
> >                    TLS SNI domain, or X.509 certificate Subject Name).
> > 
> > Which means that there is a set of checks which the acl does and not just
> > a domain name.
> > 
> > It’s also even possible that the domain name is not know in the CONNECT
> > state of the connection.
> > 
> > If I remember correctly there is a possibility for browsers to use the
> > same exact connection for multiple domains but
> > I have not seen this yet in production.
> > 
> > With Squid once you bump the connection to HTTP/1.x you can make 100%
> > sure the features of the Host header request.
> > 
> > 
> > 
> > At Servername.cc ie:
> > 
> > 
> > https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b
> > 4ef5688a0/src/acl/ServerName.cc#L81
> > 
> > 
> > 
> > There is a specific logic of what is done and what is matched but I am
> > not sure what would be used in the case of:
> > 
> > *.adobe.com
> > 
> > 
> > 
> > Certificate SAN.
> > 
> > 
> > 
> > Specifically This part of the Common Names ie SAN:
> > 
> > 
> > https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b
> > 4ef5688a0/src/acl/ServerName.cc#L105
> > 
> > 
> > 
> > which to my understanding points to:
> > 
> > 
> > https://github.com/squid-cache/squid/blob/d146da3bfe7083381ae7ab38640cbfd
> > 0d2542374/src/ssl/support.cc#L195
> > 
> > 
> > 
> > doesn’t make any sense to me.( didn’t tried that much to understand)
> > 
> > 
> > 
> > If someone might be able to make sense of things in a synchronic fashion
> > it would help.
> > 
> > (I do not see any debugs usage there or any helping comment )
> > 
> > 
> > 
> > Thanks,
> > 
> > Eliezer
> > 
> > 
> > 
> > ----
> > 
> > Eliezer Croitoru
> > 
> > NgTech, Tech Support
> > 
> > Mobile: +972-5-28704261
> > 
> > Email: ngtech1ltd at gmail.com
> > 
> > Web: https://ngtech.co.il/
> > 
> > My-Tube: https://tube.ngtech.co.il/
> > 
> > 
> > 
> > *From:* squid-users <squid-users-bounces at lists.squid-cache.org> *On
> > Behalf Of *robert k Wild
> > *Sent:* Wednesday, 27 July 2022 13:52
> > *To:* Squid Users <squid-users at lists.squid-cache.org>
> > *Subject:* Re: [squid-users] regex for normal websites
> > 
> > 
> > 
> > that's the weird thing, when i try this in  "ssl::server_name_regex"
> > 
> > .adobe.com
> > 
> > 
> > 
> > it doesnt work
> > 
> > 
> > 
> > you mean escape ie the \ character
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Wed, 27 Jul 2022 at 11:05, Matus UHLAR - fantomas <uhlar at fantomas.sk>
> > wrote:
> > 
> > On 27.07.22 10:54, robert k Wild wrote:
> > >think i got it right but just want to double check with you guys
> > >
> > >so in my "ssl::server_name" i had
> > >.adobe.com
> > >
> > >that worked but i want to mix normal website and regex websites together
> > 
> > so
> > 
> > >i just have one list for all
> > 
> > didn't the above work?  AFAIK it should, IIRC domain matching in squid
> > matches "domain.com" if you check for ".domain.com".
> > 
> > >i now have this for "ssl::server_name_regex"
> > >^.*adobe.com$
> > >
> > >it works, so im guessing its right
> > 
> > the dot should be escaped
> > 
> > 
> > --
> > Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> > 
> > 
> > 
> > --
> > 
> > Regards,
> > 
> > Robert K Wild.
> > 
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> > 
> > 
> > --
> > 
> > Regards,
> > 
> > Robert K Wild.

More information about the squid-users mailing list