On 10/01/2016 10:26 p.m., Nir Krakowski wrote: > 1. You're forgetting I only refer specific traffic using /etc/hosts to > squid. You missed my point. 1) clientConn is where the traffic *came from*. Not where it is going to. 2) Host: header verification is only relevant to MITM (intercept/tproxy port) traffic. Patching it at all is wrong for accel port traffic. And the patch you published is more than just dangerous when used on an MITM proxy. 3) ssl-bump is not supported on accel ports: - http_port accel does not accept CONNECT, so nothing to bump. - https_port accel initializes its server TLS context differently to ssl-bump, so the context created is bad for bumping. - https_port accel decrypts the TLS using different code than ssl-bump > 2. What do you suggest ? I want to use the SNI as the direction of the > traffic, not the forwarded IP address. "accel" mode traffic uses the URL for server selection. Both the forwarded IP address and the SNI are irrelevant and ignored. Think of it like this: If you take an apple and paint it to look like an apple. All you have done is make it poisonous to eat. Not cease being an apple. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
