[squid-users] regex for normal websites
Amos Jeffries
squid3 at treenet.co.nz
Wed Aug 3 02:09:57 UTC 2022
On 3/08/22 05:01, robert k Wild wrote:
> Mmm, maybe I should try
>
> dstdom_regex
>
> Instead of
>
> ssl::server_name_regex
>
> But when you using ssl bump in your squid.conf, isn't it best to use
>
> ssl::server_name_regex
>
Typically yes, or ssl::server_name.
FYI, the two ACL types do exactly the same matching algorithm. They
differ only in what detail from the traffic they match against:
* dstdomain matches:
- the domain found in HTTP request-target (aka URL or URI), or
- the reverse-DNS hostname for a raw-IP found in HTTP request-target
(aka URL or URI).
* ssl::server_name matches whichever is available from (in order of
preference):
- the request-target URL domain from decrypted HTTP(S) message, or
- the host name from SSL server certificate AltSubject, or
- the host name from TLS SNI message, or
- the domain from request-target URI of CONNECT request.
... in that order of preference for both.
HTH
Amos
More information about the squid-users
mailing list