[squid-users] Put URLs and URL regex in one text file
robert k Wild
robertkwild at gmail.com
Sat May 21 07:08:32 UTC 2022
Thanks Amos,
So does that mean for all my SSL::server_name ACLs, I should be using
SSL_bump and not http_access
On Sat, 21 May 2022, 06:10 Amos Jeffries, <squid3 at treenet.co.nz> wrote:
> On 20/05/22 23:26, robert k Wild wrote:
> > Sorry I'm a bit thick
> >
>
> Don't be. These things beyond plain-text HTTP are unfortunately a bit
> complex.
>
> The key thing to remember is that Squid is dealing with *layers* of
> protocols wrapped around each other.
>
> This wiki page
> <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Terminology>
> documents the process as well as we can.
>
> > So I've read SSL::server_name_regex which uses sni is better than
> > dstdomain_regex
> >
> > So I think I'm better of using the sni one then ?
> >
>
> Neither is "better". They check different things.
>
> Usually checking _both_ is useful since "HTTPS" is an HTTP request (with
> domain) wrapped inside TLS (with SNI). The two values there are usually
> supposed to be the same, but may not be.
>
> The ssl_bump access controls should check ssl::server_name* ACLs.
>
> The http_access should check dst* ACLs for HTTP message URL, and may
> also check ssl::* ACLs for TLS details (including the TLS server name).
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220521/3714ac3c/attachment-0001.htm>
More information about the squid-users
mailing list