|
> On May 14, 2015 at 12:37 AM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > > On 14/05/2015 10:47 a.m., Casey Daniels - mailinglist wrote: > >> On May 13, 2015 at 3:25 AM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >> > >> > >> On 13/05/2015 6:17 a.m., Casey Daniels wrote: > >>> Hi, > >>> I've been trying to figure out how to do some web filtering on HTTPs, > >>> with no really good options given the layout I have. But then I just > >>> happened to see this feature for Squid 3.5, and was wondering if I'm > >>> understanding it correctly. > >>> > >>> With the Peak and Splice feature, is it possible to run squid in a > >>> transparent mode for SSL, and check for certain host and either deny the > >>> connection all together or allow the connection without further > >>> interference from Squid? Would this be completely transparent without > >>> adding a trusted certificate from the proxy server to all user devices? > >> > >> Depends on how you define "host" and what the TLS ClientHello > >> information contains. > >> > >> If you define "host" in the official standard Internet terminology (a > >> single machine). Then no its not possible. NAT and "load balancing" > >> utterly destroyed the ability to determine if the host being spoken to > >> is the host indicated in the packets. > >> Case in point is your interceptor - a completely different host to the > >> one the client sees in its packets. Nothing stops other interceptors > >> existing upstream from you. > >> > >> If by "host" you actally meant FQDN or host *name*. It can be done when > >> and only when the TLS SNI information is made available by the client. > >> > >> Amos > >> > > > > Yes the second option, not the particular machine, but the FQDN > > (i.e.<http://www.cooking.com> ) > > > # get TLS SNI details etc > ssl_bump peek all > > # some get rejected > acl blocked ssl:server_name .example.com > ssl_bump reject blocked > > # the rest allowed without decrypting > ssl_bump splice all > > > > When is the TLS SNI information made available by the client? > > They send it or they dont. Nothign you or we can do about it. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Thank You,
Casey |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
