-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 10.01.16 1:36, Marcus Kool пишет: > > > On 01/09/2016 09:49 AM, Darren wrote: >> Hi >> >> Thanks Marcus >> >> I have been hacking my own branch of Squidguard so I can add support for the SNI (I hope) >> >> How would I get the peek SNI output to the url_rewriter? > > using url_rewrite_extras > >> I am a bit of a peek new comer. >> >> Sounds like there is some hope and a possible way forward. This is not for new comer, Marcus ;) >> >> regards >> >> Darren B. >> >> >> >> >> >> >> Sent from Mailbird <http://www.getmailbird.com/?utm_source=Mailbird&utm_medium=email&utm_campaign=sent-from-mailbird> >>> >>> On 9/01/2016 5:46:36 PM, Marcus Kool <marcus.kool@xxxxxxxxxxxxxxx> wrote: >>> >>> >>> >>> On 01/09/2016 05:07 AM, Darren wrote: >>> > Hi >>> > >>> > I am trying to hack squidguard to allow me to redirect users attempts to connect to blocked https enabled sites. >>> > >>> > Some sites are allowed and the bulk are not. Currently I can see the Connect details being handed to SG for processing and if I change this to return a redirect to make it point to a different server >>> > it breaks and gives me an SSL error (as would be expected) >>> >>> indeed, "as expected"... >>> The HTTP protocol supportly support redirection of URL by sending a 30x status code back to he browser. >>> HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the channel and >>> explicitly is designed not to be tampered with. So redirecting a channel to an other website >>> always will cause a certificate error, unless ... >>> 1) one uses ssl-bump >>> 2) installs the Squid fake CA certificate in all browsers >>> 3) one has a policy for the other protocols (e.g. Skype) that use CONNECT >>> >>> > Is there a way I can get this redirection call to squidguard happened earlier in squid before it gets this far down the CONNECT process? Or is there something that I can return from Squidguard that >>> > would make this work? I notice that the connect attempts are always just the IP address, so something earlier in the processing is doing a reverse DNS lookup, is this the Browser of Squid and if so >>> > can I get in earlier during the process? >>> >>> The above implies that you use Squid in interception mode where it initially can only see the IP address of the server. >>> In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL redirector that can cope with the SNI >>> parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in February. >>> >>> Marcus >>> >>> > >>> > I want to maintain the various lists in just squidguard and not put in ACLs in squid.conf >>> > >>> > thanks >>> > >>> > Darren B. >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWkWLkAAoJENNXIZxhPexGGFAIAI6V/xTDgjH2gYlcPR2+6eUH rrmWh6Jd5ddF+qx5gdLY53PmHK6IoNCWkPXtu2ZQSLhBVmj+I1vzB1menVi2gEh7 7qtE1bKGmVcajxON+tbIpyHYrKXSl7ewP9hRaO/BbqGSy+LFpzkv9CbrwmmC5dE4 v5DFZVJEn6F3qQdoJKER6t4WKX42H1khFs8rXMn3sdY1R8PVbS18xpDNGv8emmCX 4aWvlGO72sGvpU/oTMa/bJ2EMXzHOqkgI2uTIkIpLK0SlgoPYVJP+jCDdwWWuSif CNQS8pEmJsqrH4YxRoVhMkenBDw2W58yYWWQSx9HuAXTUp7H0lV3DNfNy10pAcc= =1H+h -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
