Search squid archive

ssl callout helper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've written a little helper to do ssl callouts to determine if the server is running ssl at all (eg not tunnelling over ssl), and also to be able to do limited ACL on CN/SAN. The main limitation is the way larger organisations will often have one SSL cert that covers many URLS (eg google cert also covers google.com, youtube.com etc).

Currently I need to do it like:

external_acl_type cert_callout %DST %PORT /usr/local/squid/libexec/ext_cert_callout_acl

acl banks dstdomain .bigbank.com
acl banks dstdomain .otherbank.com

acl is_ssl external cert_callout IS_SSL
acl banks_callout external cert_callout SAN .bigbank.com
acl banks_callout external cert_callout SAN .otherbank.com

ssl_bump splice !is_ssl
ssl_bump splice banks
ssl_bump splice banks_callout
ssl_bump bump all

But I'd rather not have to maintain the banks and the banks_callout lists separately when they are identical. Apart from sticking them in a separate file, are there any shortcuts I can take?

Also, it would be good if squid could make use of the CN from the certificate for logging, so instead of "CONNECT <IP>:<PORT>", I could log "CONNECT <CN>:<PORT>", which would really clean up the logs (apart from the cases mentioned above). I think I can use tag= or log=, but that would preclude me from using them for anything else (I'm not using them for anything else at the moment but still...)

Thanks

James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux