On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You only have external helper (which is must wrote yourself) in 3.4.x.
Are there any examples that I can look at to implemented this external helper for doing selective ssl_bumps. And what would this helper script do anyways? All we have is the destination IP address which is not really going to give us the actual HTTP hostname.
Works with domains in ssl bump fully available at least 3.5.x
Does the 3.5.x implementation decrypt the whole payload and then do the ssl_bump? The "peek" option seems to imply that only the HTTP headers are peeked at.
I guess what I am asking is, is there any way we can do this without actually decrypting the payload?
12.03.15 21:01, Mukul Gandhi пишет:
> _______________________________________________ squid-users mailing> I am running squid 3.4.8 and am looking for solutions to ssl_bump
> for specific domains only. Going through the archives it is clear
> that it is not possible unless the reverse DNS points back to the
> domain that is to be ssl bumped.
>
> So then what is the solution to this problem. I just want to create
> a SSL whitelist of domains that are to be bumped and the rest
> should be tunneled through. What I have is -
>
> ssl_bump none localhost acl ssl_whitelist dstdomain
> "/tmp/ssl_whitelist.txt" ssl_bump server-first ssl_whitelist
>
> The file /tmp/ssl_whitelist.txt contains -
>
> .facebook.com .twitter.com .pintrest.com
>
> Of course, this doesn't work because the ip address for these
> websites points back to <something>.akamaitechnologies.com.
>
> All I want is to be able to decrypt just the traffic to these
> three web-sites, the rest should go through encrypted. But I
> couldn't find a solution for this anywhere in the archives. I did
> see some mention of using SslBump1/2/3 but it wasn't clear if this
> was the silver bullet. Also I would have to upgrade to 3.5 to use
> these new directives.
>
> Any idea how I can achieve this in 3.4.8 (if possible)? Or if I a
> solution exists for this in 3.5?
>
> Thanks, -Mukul
>
>
>
> list squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJVAar2AAoJENNXIZxhPexGm5MH/0JUWgIjDrNb8+a0b66iyY+x
uWgoNnGqBKL/gzQt3AmKv3P31/3Vc8wCpMlSd3HpOSeyOtJ4pYAqI3kw1o91kkEK
YJ1wGc4FN+8sxUplA9+Kz/XDxpxTFAvS4/9d5AUOmxCoi2PmIhThozl8X8fIMdv/
7shy+Ce9kKj/ozSievVaePxdH+OUd0fmdKtDrv1aenxQpclaZSkuwEflQ3idTYBu
zTpNP3AvEP4+32yb2W+mP4p1JgHwUAi60hEz3kP9pxd+Ym2kuZeFDF5ZV2x2/cKQ
iRpmS++2kOt0nIT074PhV8dzPfD1lZt7atQT+mBJhLvzlD5Sxvxqll7Z/dpQSSI=
=P+8j
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users