[squid-users] disable https inspection for licensing some apps

Alex Rousskov rousskov at measurement-factory.com
Wed May 18 18:38:47 UTC 2022 

On 5/18/22 12:28, robert k Wild wrote:

> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointercept.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all

OK, the above configuration makes the splice/bump decision based on 
plain text information provided by the TLS client.


> and in the nointercept.txt
> i have the url in there

ssl::server_name needs a host/domain name, not a regular URL. No URLs 
are exchanged in plain text between TLS client and the origin server.

Please note that, even after adjusting nointercept.txt to contain domain 
name(s), the above configuration may not always work in modern Squids: 
It will work when the client sends a matching domain name

* in the CONNECT request headers (and sends no TLS SNI at all)
* in the CONNECT request headers and in TLS SNI
* in TLS SNI (the CONNECT request headers should not matter).

It will also work when a CONNECT request is using an IP address that 
reverse-resolves to a matching domain name (which is not overwritten by 
a mismatching SNI).

In all other cases, Squid will bump traffic even if it is ultimately 
going to the server named in nointercept.txt.

There is no configuration that will address all possible cases in 
general. TLS makes that impossible (at least not without probing TLS 
origin servers which is something Squid does not do yet).


HTH,

Alex.


>, also i have it in the url white list so it can actually see the url
> 
> is there something else i need to add for this to work
> 
> or maybe some websites ie license website just dont like it going through a proxy
> 
> 
> On Wed, 18 May 2022 at 16:57, robert k Wild <robertkwild at gmail.com 
> <mailto:robertkwild at gmail.com>> wrote:
> 
>     hi all,
> 
>     i have squid proxy configured as ssl bump and i white list some
>     websites only
> 
>     but for some websites i dont want to inspect https traffic as it
>     breaks the cert when i want to license some apps via the url
>     (whitelist url)
> 
>     how can i disable https inspection for some websites please
> 
>     many thanks,
>     rob
> 
>     -- 
>     Regards,
> 
>     Robert K Wild.
> 
> 
> 
> -- 
> Regards,
> 
> Robert K Wild.
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list