Search squid archive

Re: SSL_bump ACL for destdomain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I use a pac file that points some domains to an ssl-bump proxy and
some to a non-ssl bump. works for me:

function FindProxyForURL(url, host) {
        if (
                dnsDomainIs(host, ".because.org.uk") ||
                dnsDomainIs(host, ".bec.lan") ||
                dnsDomainIs(host, ".nbt.nhs.uk") ||
                isInNet(host,"10.15.0.0","255.255.0.0") ||
                isInNet(host,"127.0.0.1","255.0.0.0") ||
                isInNet(host,"127.0.0.1:1793", "255.0.0.0") ||
                isPlainHostName(host) ||
                dnsDomainIs(host, "iriscamera.bec.lan")
        ) {
                return "DIRECT";
        }
        if (
                dnsDomainIs(host,"youtube.com")
        ) {
                return "PROXY 10.15.244.40:3129";            // ssl bump youtube
        }

        return "PROXY 10.15.244.26:3128";                  // dont
bump anything else
}

Jim


On 4 February 2014 10:34, Yury Paykov <cry5tal@xxxxxxxxxx> wrote:
> Hello, squid users, I'm currently having an issue trying to configure Squid
> (use 3.3) to bypass a handful of sites.
> I mean, i want squid to NOT bump the connection.
>
> I employ the following in the config :
>
> acl https_proxy dstdomain www.google.com
> acl https_proxy dstdomain google.ru
>
> ssl_bump none https_proxy
> ssl_bump server-first all
>
> This should work like "If google, do not bump, else ssl-bump the connection"
> However, it doesn't work as expected and instead bumps google as well
>
> When I used debugging, I saw that squid actually checks IP address and then
> - the PTR entry, where neither is *google* anything
>
> 2014/02/04 14:36:30.428| Acl.cc(336) matches: ACLList::matches: checking
> https_proxy
> 2014/02/04 14:36:30.428| Acl.cc(319) checklistMatches:
> ACL::checklistMatches: checking 'https_proxy'
> 2014/02/04 14:36:30.428| DomainData.cc(131) match: aclMatchDomainList:
> checking '173.194.71.94'
> 2014/02/04 14:36:30.428| DomainData.cc(135) match: aclMatchDomainList:
> '173.194.71.94' NOT found
> 2014/02/04 14:36:30.428| DomainData.cc(131) match: aclMatchDomainList:
> checking 'lb-in-f94.1e100.net'
> 2014/02/04 14:36:30.428| DomainData.cc(135) match: aclMatchDomainList:
> 'lb-in-f94.1e100.net' NOT found
>
>
> MY QUESTION IS  - Is there a way to use CN information from server
> certificate which is retrieved with /server-first/ method? Can I construct
> an ACL rule based on it?
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-bump-ACL-for-destdomain-tp4664589.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux