On 04/12/2013 08:30 AM, Marcello Coutinho wrote: > I'm trying to create some acls based on client browsers following > instructions from > http://wiki.squid-cache.org/ConfigExamples/Chat/Skype > http://www.squid-cache.org/Doc/config/acl/ > > But those works only in non-transparent mode. > > Is there a way to get around this, a squid options for example? > > The access log file shows user's browser while using combined logs but > it seems that ssl_bump checks are done before user agent info. When you intercept SSL, the decision on whether to bump the intercepted SSL connection is done using TCP-level information. Once Peek and Splice is ready, SSL Hello information will also be available (at the cost of having to splice the client and server connections back after fiddling with them). Squid will never be able to make bumping (or splicing) decision based on HTTP User-Agent header because, to get that header, Squid must first bump the intercepted connection. In interception environment, there is no unencrypted CONNECT request to get the User-Agent header from... HTH, Alex.
