Search squid archive

Re: ssl_bump for specific dstdomain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



13.03.15 2:37, Mukul Gandhi пишет:
> On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoinov@xxxxxxxxx> 
> wrote:
> 
> You only have external helper (which is must wrote yourself) in 
> 3.4.x.
> 
> 
>> Are there any examples that I can look at to implemented this 
>> external helper for doing selective ssl_bumps. And what would 
>> this helper script do anyways? All we have is the destination IP 
>> address which is not really going to give us the actual HTTP 
>> hostname.
Yes and no. There is one third-party helper in list archives, written
on python. No one of this including in squid distribution.


> 
> 
> 
> Works with domains in ssl bump fully available at least 3.5.x
> 
> 
>> Does the 3.5.x implementation decrypt the whole payload and then 
>> do the ssl_bump? The "peek" option seems to imply that only the 
>> HTTP headers are peeked at.
Of course. As by 3.4.x. The difference is only with mechanisms.

> 
>> I guess what I am asking is, is there any way we can do this 
>> without actually decrypting the payload?
3.5.x peek-and-splise functionality do bump splitted by stages.
Against 3.4.x, which is makes bump in one stage.

> 
> 
> 
> 12.03.15 21:01, Mukul Gandhi пишет:
>>>> I am running squid 3.4.8 and am looking for solutions to 
>>>> ssl_bump for specific domains only. Going through the 
>>>> archives it is clear that it is not possible unless the 
>>>> reverse DNS points back to the domain that is to be ssl 
>>>> bumped.
>>>> 
>>>> So then what is the solution to this problem. I just want to 
>>>> create a SSL whitelist of domains that are to be bumped and 
>>>> the rest should be tunneled through. What I have is -
>>>> 
>>>> ssl_bump none localhost acl ssl_whitelist dstdomain 
>>>> "/tmp/ssl_whitelist.txt" ssl_bump server-first ssl_whitelist
>>>> 
>>>> The file /tmp/ssl_whitelist.txt contains -
>>>> 
>>>> .facebook.com .twitter.com .pintrest.com
>>>> 
>>>> Of course, this doesn't work because the ip address for these
>>>> websites points back to <something>.akamaitechnologies.com.
>>>> 
>>>> All I want is to be able to decrypt just the traffic to these
>>>> three web-sites, the rest should go through encrypted. But I
>>>> couldn't find a solution for this anywhere in the archives. I
>>>> did see some mention of using SslBump1/2/3 but it wasn't
>>>> clear if this was the silver bullet. Also I would have to
>>>> upgrade to 3.5 to use these new directives.
>>>> 
>>>> Any idea how I can achieve this in 3.4.8 (if possible)? Or
>>>> if I a solution exists for this in 3.5?
>>>> 
>>>> Thanks, -Mukul
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ squid-users 
>>>> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx 
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>> 
>> _______________________________________________ squid-users 
>> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx 
>> http://lists.squid-cache.org/listinfo/squid-users
>> 
> 
> 
> 
> _______________________________________________ squid-users
> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJVAngXAAoJENNXIZxhPexGeYwIAIHnxixkc7Giy4EzQXpf+xqa
fqtozs1W2D7D349AURkUkwnNeq1VTNZb22Px6Jya9wpyuqAH0MXHSkeMkjDTtdjF
qUGIXEpjuhfHg0TaOXfnf41N8bdZ/lw4ZOeAgLdkVrfwXOO04oBqrr6ThVQMIjOS
NP1gz0ccxKFaZDgOS32Cg6uZ3fu92+vjobJN6UPVfr+EuN4BtF//aRxZ8BHfKX9C
ztrW1cBwL5IV4fecrFbJbEUSkria1IMezhnNRtrI5RtLVapftIN4jYGXFHwCUPHz
EMTboo1ohi5/WbOWvGQhsQjsm4mqkZ615Tk/CwQFGZ3qsJf1RK7msE2TeBWn8XE=
=7Rxa
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux