|
> On May 13, 2015 at 3:25 AM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> > > On 13/05/2015 6:17 a.m., Casey Daniels wrote: > > Hi, > > I've been trying to figure out how to do some web filtering on HTTPs, > > with no really good options given the layout I have. But then I just > > happened to see this feature for Squid 3.5, and was wondering if I'm > > understanding it correctly. > > > > With the Peak and Splice feature, is it possible to run squid in a > > transparent mode for SSL, and check for certain host and either deny the > > connection all together or allow the connection without further > > interference from Squid? Would this be completely transparent without > > adding a trusted certificate from the proxy server to all user devices? > > Depends on how you define "host" and what the TLS ClientHello > information contains. > > If you define "host" in the official standard Internet terminology (a > single machine). Then no its not possible. NAT and "load balancing" > utterly destroyed the ability to determine if the host being spoken to > is the host indicated in the packets. > Case in point is your interceptor - a completely different host to the > one the client sees in its packets. Nothing stops other interceptors > existing upstream from you. > > If by "host" you actally meant FQDN or host *name*. It can be done when > and only when the TLS SNI information is made available by the client. > > Amos > Yes the second option, not the particular machine, but the FQDN (i.e. www.cooking.com)
When is the TLS SNI information made available by the client?
Casey |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
