Yeah, you was right. When I replaced ssl_bump server-fist vk With ssl_bump server-first all it works. But I can't understand how to fix that. I don't want bump all connections. Thx, Jury > 07.10.2013 20:35 пользователь "Alex Rousskov" <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> написал: > >> > On 10/07/2013 09:19 AM, Alex Rousskov wrote:> On 10/07/2013 03:29 AM, Jury Bogdanov wrote: >> >>> Hello. I have some problems with ssl-bump mode. Can you help me, please? >> >>> My configuration: >> >> >> >>> https_port 192.168.56.100:3130 transparent ssl-bump >> >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> >>> cert=/home/mut/squid.pem key=/home/mut/squid.key >> >>> acl vk dstdomain .vk.com >> >>> ssl_bump server-first vk >> >>> http_access deny vk all >> >> >> >>> But I can open https://vk.com >> >> >> On 10/07/2013 10:57 AM, Jury Bogdanov wrote: >> > In access.log I see CONNECT request to vk's ip >> >> >> Your vk ACL is not using an IP address, it is using a domain name. The >> client is using an IP address in their CONNECT request (this is common >> for some clients). It is likely that the reverse DNS lookup of vk's IP >> either fails or does not match vk.com. As a result, the vk ACL in your >> "ssl_bump server-first" rule does not match and the connection is not >> bumped. >> >> To check, you can replace >> >> ssl_bump server-first vk >> >> with >> >> ssl_bump server-first all >> >> and see if the CA certificate used to encrypt the response changes to >> that of Squid. >> >> >> BTW, for most purposes, >> >> http_access deny vk all >> >> is equivalent to >> >> http_access deny vk >> >> Please double check that that is what you expect/want. >> >> >> HTH, >> >> Alex. >> P.S. Please keep this thread on the mailing list. >>
