> On 10/07/2013 09:19 AM, Alex Rousskov wrote:> On 10/07/2013 03:29 AM, Jury Bogdanov wrote: >>> Hello. I have some problems with ssl-bump mode. Can you help me, please? >>> My configuration: >> >>> https_port 192.168.56.100:3130 transparent ssl-bump >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >>> cert=/home/mut/squid.pem key=/home/mut/squid.key >>> acl vk dstdomain .vk.com >>> ssl_bump server-first vk >>> http_access deny vk all >> >>> But I can open https://vk.com On 10/07/2013 10:57 AM, Jury Bogdanov wrote: > In access.log I see CONNECT request to vk's ip Your vk ACL is not using an IP address, it is using a domain name. The client is using an IP address in their CONNECT request (this is common for some clients). It is likely that the reverse DNS lookup of vk's IP either fails or does not match vk.com. As a result, the vk ACL in your "ssl_bump server-first" rule does not match and the connection is not bumped. To check, you can replace ssl_bump server-first vk with ssl_bump server-first all and see if the CA certificate used to encrypt the response changes to that of Squid. BTW, for most purposes, http_access deny vk all is equivalent to http_access deny vk Please double check that that is what you expect/want. HTH, Alex. P.S. Please keep this thread on the mailing list.
