Thanks Alex and Amos. I`m using now two acl's: dst and dstdomain. It's work fine. Shawn, no I want bump more domains. Yes,I thought about this method. My first message was an example. 2013/10/8 shawn wilson <ag4ve.us@xxxxxxxxx>: > If I understand correctly, you want to bump IPs from one domain, right? > > In your iptables rule, before it is redirected to squid, either have a > jump with a list of IPs for that domain (or preferable an ipset list) > and update that list with an external script (cron job or whatever). > It's also possible to use a DNS server like powerdns that allows for > different backends and could do this for you basically live (the name > resolution is made before the request so if the rule is in place > before the request you're set). > > Yeah, I'm speaking pretty abstract as this will be a bit of work but > quite doable. > > On Tue, Oct 8, 2013 at 3:25 PM, Alex Rousskov > <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >> On 10/08/2013 01:35 AM, Jury Bogdanov wrote: >> >>> To isolate the IP's I need to know all of them. But I don't know all >>> IP's. Some domains have a lot of IP's. Squid can't resolve the IP's? >> >> >> Squid can (and does) perform a reverse DNS lookup when the request uses >> an IP address and your ACL is using a domain name. Whether that reverse >> DNS lookup is successful at all, or whether its result (the domain name) >> matches your domain-based ACL value is outside of Squid control. The >> former depends primarily on the authoritative DNS zone setup. The latter >> depends on that zone and on your ACL. >> >> You can try performing reverse lookups yourself using the logged IP >> address and command tools like dig. Squid results may differ, but often >> do not, especially if both Squid and your command line tool are >> configured to use the same DNS resolver. >> >> >> Many popular sites use dozens of IP addresses, some of which cannot be >> resolved back to the site name. IP:domain may also depend on the >> physical location of the DNS client (i.e., Squid). I know some admins >> that write complicated distributed scripts that try to maintain a >> IP:domain map for some special cases of very popular sites and use that >> in their bumping rules... >> >> >> Good luck, >> >> Alex. >> >> >> >>> 2013/10/8 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>>> On 8/10/2013 8:07 a.m., Jury Bogdanov wrote: >>>>> >>>>> Yeah, you was right. When I replaced >>>>> ssl_bump server-fist vk >>>>> >>>>> With >>>>> ssl_bump server-first all >>>>> it works. But I can't understand how to fix that. I don't want bump >>>>> all connections. >>>> >>>> >>>> That change was just a test to verify Alex theory was correct. >>>> >>>> For the final config you need to find some ACL condition or test that >>>> matches the traffic you want to match. You can do so with mutiple ssl_bump >>>> lines and/or ACLs if necessary. >>>> >>>> The specifics are up to you, but it sounds like to need to isolate the IP's >>>> for that domain and permit bumping for them as well as for its domain name. >>>> >>>> Amos >>
