-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 13.03.15 2:37, Mukul Gandhi пишет: > On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoinov@xxxxxxxxx> > wrote: > > You only have external helper (which is must wrote yourself) in > 3.4.x. > > >> Are there any examples that I can look at to implemented this >> external helper for doing selective ssl_bumps. And what would >> this helper script do anyways? All we have is the destination IP >> address which is not really going to give us the actual HTTP >> hostname. Yes and no. There is one third-party helper in list archives, written on python. No one of this including in squid distribution. > > > > Works with domains in ssl bump fully available at least 3.5.x > > >> Does the 3.5.x implementation decrypt the whole payload and then >> do the ssl_bump? The "peek" option seems to imply that only the >> HTTP headers are peeked at. Of course. As by 3.4.x. The difference is only with mechanisms. > >> I guess what I am asking is, is there any way we can do this >> without actually decrypting the payload? 3.5.x peek-and-splise functionality do bump splitted by stages. Against 3.4.x, which is makes bump in one stage. > > > > 12.03.15 21:01, Mukul Gandhi пишет: >>>> I am running squid 3.4.8 and am looking for solutions to >>>> ssl_bump for specific domains only. Going through the >>>> archives it is clear that it is not possible unless the >>>> reverse DNS points back to the domain that is to be ssl >>>> bumped. >>>> >>>> So then what is the solution to this problem. I just want to >>>> create a SSL whitelist of domains that are to be bumped and >>>> the rest should be tunneled through. What I have is - >>>> >>>> ssl_bump none localhost acl ssl_whitelist dstdomain >>>> "/tmp/ssl_whitelist.txt" ssl_bump server-first ssl_whitelist >>>> >>>> The file /tmp/ssl_whitelist.txt contains - >>>> >>>> .facebook.com .twitter.com .pintrest.com >>>> >>>> Of course, this doesn't work because the ip address for these >>>> websites points back to <something>.akamaitechnologies.com. >>>> >>>> All I want is to be able to decrypt just the traffic to these >>>> three web-sites, the rest should go through encrypted. But I >>>> couldn't find a solution for this anywhere in the archives. I >>>> did see some mention of using SslBump1/2/3 but it wasn't >>>> clear if this was the silver bullet. Also I would have to >>>> upgrade to 3.5 to use these new directives. >>>> >>>> Any idea how I can achieve this in 3.4.8 (if possible)? Or >>>> if I a solution exists for this in 3.5? >>>> >>>> Thanks, -Mukul >>>> >>>> >>>> >>>> _______________________________________________ squid-users >>>> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >>>> http://lists.squid-cache.org/listinfo/squid-users >>>> >> _______________________________________________ squid-users >> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > > > > _______________________________________________ squid-users > mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVAngXAAoJENNXIZxhPexGeYwIAIHnxixkc7Giy4EzQXpf+xqa fqtozs1W2D7D349AURkUkwnNeq1VTNZb22Px6Jya9wpyuqAH0MXHSkeMkjDTtdjF qUGIXEpjuhfHg0TaOXfnf41N8bdZ/lw4ZOeAgLdkVrfwXOO04oBqrr6ThVQMIjOS NP1gz0ccxKFaZDgOS32Cg6uZ3fu92+vjobJN6UPVfr+EuN4BtF//aRxZ8BHfKX9C ztrW1cBwL5IV4fecrFbJbEUSkria1IMezhnNRtrI5RtLVapftIN4jYGXFHwCUPHz EMTboo1ohi5/WbOWvGQhsQjsm4mqkZ615Tk/CwQFGZ3qsJf1RK7msE2TeBWn8XE= =7Rxa -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
