On 03/06/2013 06:15 AM, Amm wrote: >> On 03/04/2013 10:11 PM, Amm wrote: >> >>>> # Let user specify domains to avoid decrypting, such as internet >> banking >>>> acl bump-bypass dstdomain .commbank.com.au >>>> ssl_bump none bump-bypass >>>> ssl_bump server-first all >> >> >>> This will not work for intercepting traffic. Because domain is known >>> only after SSL connection is established. So certificate stage etc >>> has already passed. >> >> It will work but only if the reverse DNS lookup for the intercepted IP >> address works: ssl_bump supports slow ACLs, and dstdomain is a slow ACL >> if given an IP address. > > As per http://www.squid-cache.org/Doc/config/acl/ its a fast ACL. > > acl aclname dstdomain .foo.com ... > # Destination server from URL [fast] The documentation should say that it is fast in most cases.... If the user has use the ip address and not the host name as part of the url, then squid has to do a reverse lookup to find the domain name. In the case of transparent SSL interception, squid will have only the ip address of the destination server so the reverse lookup required. The problem with the reverse lookup is that in most cases will not give you the correct domain name. For example a "host www.paypal.com" return the ip address "23.55.226.234". But the "host 23.55.226.234" return as domain name: <-something->.akamaitechnologies.com Also the paypal example maybe says that it is difficult to find a correct ip address range for some SSL sites... Regards, Christos
