On 5/06/2015 3:59 a.m., Atman Sense wrote: > Hi, > > I'm using privoxy in transparent/intercepting mode to filter tracking > sites. Because many sites switched to https I want to block https sites, > too (only by hostnames, I don't want to decrypt the SSL connections). > > My idea was to use squid to intercept https connections and peek/splice > to get the hostname via SNI. > > The problem is: When using a parent proxy, squid always "CONNECT" the IP > and not the hostname, even if it is aware of it through SNI. Can I get > squid to use the hostnames instead of IPs? You can block by SNI in the ssl_bump checks without having bumped the connection. Like so: # get the public TLS metadata (includes SNI) ssl_bump peek all # block based on SNI matching (or server cert matching) acl blocked ssl::server_name .example.com ssl_bump terminate blocked # tunnel (no decrypting) for everything else ssl_bump splice all Note that you do have to allow the "CONNECT raw-IP:443 ..." requests through http_access to the bumping logics. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
