On 14/05/2015 10:47 a.m., Casey Daniels - mailinglist wrote: >> On May 13, 2015 at 3:25 AM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> >> >> On 13/05/2015 6:17 a.m., Casey Daniels wrote: >>> Hi, >>> I've been trying to figure out how to do some web filtering on HTTPs, >>> with no really good options given the layout I have. But then I just >>> happened to see this feature for Squid 3.5, and was wondering if I'm >>> understanding it correctly. >>> >>> With the Peak and Splice feature, is it possible to run squid in a >>> transparent mode for SSL, and check for certain host and either deny the >>> connection all together or allow the connection without further >>> interference from Squid? Would this be completely transparent without >>> adding a trusted certificate from the proxy server to all user devices? >> >> Depends on how you define "host" and what the TLS ClientHello >> information contains. >> >> If you define "host" in the official standard Internet terminology (a >> single machine). Then no its not possible. NAT and "load balancing" >> utterly destroyed the ability to determine if the host being spoken to >> is the host indicated in the packets. >> Case in point is your interceptor - a completely different host to the >> one the client sees in its packets. Nothing stops other interceptors >> existing upstream from you. >> >> If by "host" you actally meant FQDN or host *name*. It can be done when >> and only when the TLS SNI information is made available by the client. >> >> Amos >> > > Yes the second option, not the particular machine, but the FQDN > (i.e.<http://www.cooking.com> ) # get TLS SNI details etc ssl_bump peek all # some get rejected acl blocked ssl:server_name .example.com ssl_bump reject blocked # the rest allowed without decrypting ssl_bump splice all > When is the TLS SNI information made available by the client? They send it or they dont. Nothign you or we can do about it. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
