On 13/05/2015 6:17 a.m., Casey Daniels wrote: > Hi, > I've been trying to figure out how to do some web filtering on HTTPs, > with no really good options given the layout I have. But then I just > happened to see this feature for Squid 3.5, and was wondering if I'm > understanding it correctly. > > With the Peak and Splice feature, is it possible to run squid in a > transparent mode for SSL, and check for certain host and either deny the > connection all together or allow the connection without further > interference from Squid? Would this be completely transparent without > adding a trusted certificate from the proxy server to all user devices? Depends on how you define "host" and what the TLS ClientHello information contains. If you define "host" in the official standard Internet terminology (a single machine). Then no its not possible. NAT and "load balancing" utterly destroyed the ability to determine if the host being spoken to is the host indicated in the packets. Case in point is your interceptor - a completely different host to the one the client sees in its packets. Nothing stops other interceptors existing upstream from you. If by "host" you actally meant FQDN or host *name*. It can be done when and only when the TLS SNI information is made available by the client. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users