On 09/17/2015 04:00 AM, Marek Serafin wrote: > Hello, I'm kinda confused about the "Peek and Splice" technique > introduced in Squid 3.5.x. > ---------------------- > My goal is to allow CONNECT-method ONLY to certain web-pages (mainly > banks, payment systems). The rest of https-sites should be allways bumped. > --------------------- > And this can be easily achieved even in squid 3.3 (I'm talking about > situation where browser is totally aware of using proxy server -- not > transparent mode). > > But when Squid allows CONNECT method - it allows any kind of TCP tunnel > (e.g. OpenVPN over TCP or ssh tunnel). > > So, my real question is - if it's possible - using the new technique > (Peek and Splice) to allow Splice method - but ONLY to real HTTPS Sites > - not a ssh or VPN service? The short answer to your question is "when splicing, it is only possible to check whether the service is using SSL". Here are the details: * Peeking or staring at step1 results in Squid parsing the client SSL Hello. This does not guarantee that the client is an HTTPS client, but it virtually guarantees that it is an SSL client. * Peeking or staring at step2 results in Squid validating the server certificate. This does not guarantee that the server is an HTTPS server, but it virtually guarantees that it is an SSL server. * Beyond step2, you have to bump to check that the SSL client and the SSL server are going to talk HTTP after CONNECT and SSL handshake. There is and will be no way around that. Staring allows you to bump if that is what you want. ... where "X at stepN" means "action X matched at SslBump step #N". However, your question seems to contradict your goal of splicing connections to "certain" known servers and only to those servers: If you know that example.com is a trusted bank, do you really need to check that nobody is creating an ssh connection to that bank? If not, then validating "bank" traffic beyond SSL handshake becomes irrelevant. You simply trust the "bank" not to provide any "bad" services. > (I'm still talking about the situation where browsers are aware of > proxying) Browser awareness does not really matter as far as non-HTTP detection is concerned. > I was thinking that it can be done by peeking in step 2 (peeing the > server certificate) BUT there is a limitation: peeking at the server > certificate usually precludes future bumping. So when we're peeking at > step 2 we can only splice later (or terminate) - which is not what I > wanted to achieve. You do not need to bump to validate the server certificate (and, hence, confirm that it is a known-to-you "bank"). If you want to bump, you can stare instead of peeking. > what is the main advantage of "Peek and > Splice" comparing to old method (remember: browsers are aware of proxying). > I can see advantage in transparent mode - obtaining domain name by SNI. > But in "normal mode" squid knows the domain-name because of the connect > request? In some cases, the CONNECT request contains an IP address instead of a domain name. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
