|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Agreed. I'm expert on shell, not Perl/Python. :) But will try to make some useful with it. 05.01.2015 22:28, Eliezer Croitoru пишет: > On 01/05/2015 05:18 PM, Yuri Voinov wrote: > > We haven't filtering non_HTTP over port-443. Just recognize and > > pass. > > So let's separate security which is one of the goals of squid and > which some like and other don't. > > For now squid 3.4 is stable and 3.5 is in beta and trunk is not for > the public use. > In 3.5 there will be present a new feature which called peek and > splice that can give an interface to squid and the admin which will > allow the admin to know couple things about the connection from squid > and specifically first the client TLS request. > Once squid bumped a connection there are couple steps until the > connection is fully established between the client and the server: > - receive the TCP connection from client > - BUMP server or client FIRST > - determine what certificate to send to the client based on the server > initial ssl response > - fake it > - send to the client > - MITM between two tls connections on the proxy while inspecting the > content in the software layer. > > Peek and splice will add another step between the first part to the > second and which will allow SNI usage. > All the above is to allow better BUMPING. > There might be or will be probably an interface that will identify or > will try to identify inside the current stages of the connection > bumping if the connection is indeed a TLS or another one. > The first step of peek and splice can identify if the connection from > the client side has started using a valid TLS\SSL headers. > > Leaving all the BUMPING yes or no You(Yuri) need a very specific tool > or want a very specific tool. > The basic interface of the external_acl can provide enough data on the > connection in order to enforce some rules. > You can either use the client IP address or just the destination IP > and PORT. > > I cannot speak for the squid project but I am almost sure that the > squid project will not provide you with an official helper and will > not support it. > However squid external_acl is there especially to help others achieve > what they want using a variety of parameters from squid internals. > The external_acl interface provides internal caching which supports > caching ttl with different values for the two options either allow(OK) > or DENY(ERR). > > My suggestions stays, don't use sqlite if possible. > There is a sketch for a helper like you seems to want. > Take the glove and write a pesudo code for the helper idea based on > the assumptions: > - There is a DB which can store timestamps, ip, port, result of test, etc > - There is a way to check if the certificate is valid and the server > works with TLS\SSL > - There is no way for the helper to know that a certificate is pined > - There is a way to add static records to the DB(web interface, cli) > - All the requests will come from the proxy IP address and can by some > be identified as an attack. > - ufdbguard does not provide your needs since it uses url_rewrite > interface and doesn't have the needed functionalities for you. > > The best I have seen until now was the python helper. > If in couple(4-5) month nobody will do something with this I will see > then what can be done with this if at all. > > Elizer > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUqr3NAAoJENNXIZxhPexG5UoIAKxANAcs77iuSQlNOmbO9D4B xip3QbFhug2/LayR+Wa1Vd3UBUfkSUUdvvqedXRc6KKfCqxa5BECTYSpM0qT/L+h WasstLpV/Mm2seYRK/CUJbmAJDps6mAgB8MdU1Kq9XWUVYGuGHXnWa220sU/TuhW wD55VRDScX7cELOQyv4kCr/3mqobLD0KLAMwpDwtxel88eE9NYFW1OcIyM2XHtJd ouY/hM6sAlYusXITrQrbOy7Sw5yT6DjY+sm6NYx7NCpDyKZTZemU0QVN9hEG6H0s AmPi0m3OedUAmh83rXMS47+GyzIq3yxIqe52qOsFSsA5PoK/l93zqRivvUUTxyQ= =sq3n -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
