[squid-users] Put URLs and URL regex in one text file
Amos Jeffries
squid3 at treenet.co.nz
Sat May 21 05:04:43 UTC 2022
On 20/05/22 23:26, robert k Wild wrote:
> Sorry I'm a bit thick
>
Don't be. These things beyond plain-text HTTP are unfortunately a bit
complex.
The key thing to remember is that Squid is dealing with *layers* of
protocols wrapped around each other.
This wiki page
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Terminology>
documents the process as well as we can.
> So I've read SSL::server_name_regex which uses sni is better than
> dstdomain_regex
>
> So I think I'm better of using the sni one then ?
>
Neither is "better". They check different things.
Usually checking _both_ is useful since "HTTPS" is an HTTP request (with
domain) wrapped inside TLS (with SNI). The two values there are usually
supposed to be the same, but may not be.
The ssl_bump access controls should check ssl::server_name* ACLs.
The http_access should check dst* ACLs for HTTP message URL, and may
also check ssl::* ACLs for TLS details (including the TLS server name).
HTH
Amos
More information about the squid-users
mailing list