Search squid archive

Re: ssl-bump mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yeah, you was right. When I replaced
 ssl_bump server-fist vk

 With
 ssl_bump server-first all
 it works. But I can't understand how to fix that. I don't want bump
all connections.
 Thx,
 Jury

> 07.10.2013 20:35 пользователь "Alex Rousskov" <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> написал:
>
>> > On 10/07/2013 09:19 AM, Alex Rousskov wrote:> On 10/07/2013 03:29 AM, Jury Bogdanov wrote:
>> >>> Hello. I have some problems with ssl-bump mode. Can you help me, please?
>> >>> My configuration:
>> >>
>> >>> https_port 192.168.56.100:3130 transparent ssl-bump
>> >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> >>> cert=/home/mut/squid.pem key=/home/mut/squid.key
>> >>> acl vk dstdomain .vk.com
>> >>> ssl_bump server-first vk
>> >>> http_access deny vk all
>> >>
>> >>> But I can open https://vk.com
>>
>>
>> On 10/07/2013 10:57 AM, Jury Bogdanov wrote:
>> > In access.log I see CONNECT request to vk's ip
>>
>>
>> Your vk ACL is not using an IP address, it is using a domain name. The
>> client is using an IP address in their CONNECT request (this is common
>> for some clients). It is likely that the reverse DNS lookup of vk's IP
>> either fails or does not match vk.com. As a result, the vk ACL in your
>> "ssl_bump server-first" rule does not match and the connection is not
>> bumped.
>>
>> To check, you can replace
>>
>>   ssl_bump server-first vk
>>
>> with
>>
>>   ssl_bump server-first all
>>
>> and see if the CA certificate used to encrypt the response changes to
>> that of Squid.
>>
>>
>> BTW, for most purposes,
>>
>>   http_access deny vk all
>>
>> is equivalent to
>>
>>   http_access deny vk
>>
>> Please double check that that is what you expect/want.
>>
>>
>> HTH,
>>
>> Alex.
>> P.S. Please keep this thread on the mailing list.
>>





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux