On 03/05/2013 09:15 PM, Amm wrote: > ----- Original Message ----- >> From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> >> To: "squid-users@xxxxxxxxxxxxxxx" <squid-users@xxxxxxxxxxxxxxx> >> Cc: >> Sent: Wednesday, 6 March 2013 6:20 AM >> Subject: Re: Bypassing SSL Bump for dstdomain >> >> On 03/04/2013 10:11 PM, Amm wrote: >> >>>> # Let user specify domains to avoid decrypting, such as internet banking >>>> acl bump-bypass dstdomain .commbank.com.au >>>> ssl_bump none bump-bypass >>>> ssl_bump server-first all >>> This will not work for intercepting traffic. Because domain is known >>> only after SSL connection is established. So certificate stage etc >>> has already passed. >> It will work but only if the reverse DNS lookup for the intercepted IP >> address works: ssl_bump supports slow ACLs, and dstdomain is a slow ACL >> if given an IP address. > As per http://www.squid-cache.org/Doc/config/acl/ its a fast ACL. > > acl aclname dstdomain .foo.com ... > # Destination server from URL [fast] ... but could be a slow ACL. Read a few lines lower: > # For dstdomain and dstdom_regex a reverse lookup is tried if a IP > # based URL is used and no match is found. The name "none" is used > # if the reverse lookup fails. >>> I am also assuming that squid checks IP based ACLs for ssl_bump >>> before establishing connection with client. >> Squid checks all ssl_bump ACLs before establishing a TCP connection with >> the server. The TCP connection from the client is already accepted (or >> intercepted) by the time ssl_bump ACL is checked. > What I would like to know is, does squid check ssl_bump ACL before starting > SSL connection with client OR after? (for intercepting on https_port) Squid does not establish an SSL connection with the TCP client if "ssl_bump none" matches. HTH, Alex.
