Search squid archive

kinda confused about Peek and Splice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, I'm kinda confused about the "Peek and Splice" technique introduced in Squid 3.5.x.
----------------------
My goal is to allow CONNECT-method ONLY to certain web-pages (mainly banks, payment systems). The rest of https-sites should be allways bumped.
---------------------
And this can be easily achieved even in squid 3.3 (I'm talking about situation where browser is totally aware of using proxy server -- not transparent mode).

But when Squid allows CONNECT method - it allows any kind of TCP tunnel (e.g. OpenVPN over TCP or ssh tunnel).

So, my real question is - if it's possible - using the new technique (Peek and Splice) to allow Splice method - but ONLY to real HTTPS Sites - not a ssh or VPN service?
(I'm still talking about the situation where browsers are aware of proxying)


I was thinking that it can be done by peeking in step 2 (peeing the server certificate) BUT there is a limitation: peeking at the server certificate usually precludes future bumping. So when we're peeking at step 2 we can only splice later (or terminate) - which is not what I wanted to achieve.



If above is not possible, what is the main advantage of "Peek and Splice" comparing to old method (remember: browsers are aware of proxying). I can see advantage in transparent mode - obtaining domain name by SNI. But in "normal mode" squid knows the domain-name because of the connect request? And knowing the domain-name we can decide what to do.

thx for any hints or explanation!

HELION SA, 44-100 Gliwice, ul. Kościuszki 1C
Numer KRS 0000121256 Sąd Rejonowy w Gliwicach,
X Wydział Gospodarczy Krajowego Rejestru Sądowego.
NIP 631-020-02-68, REGON: 271070648
Kapitał zakładowy: 500100 zł w całości wpłacony
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux