Re: Fwd: Squid https bump and google apps

Lucas Castro <lucascastroborges@xxxxxxxxx> · Fri, 15 Jan 2016 15:42:54 -0300



    Yuri, 

    Now I can see, I'm really doing something wrong, 

    cause I can't see the FQDN at access.log

    What can be the possible problem that I can get just IP:PORT? 

    
    On 15-01-2016 15:23, Yuri Voinov wrote:

    >

    
      15.01.16 23:55, lucas castro пишет:

      > Amos, Sorry for emailing right to you.

      > ---------- Forwarded message ----------

      > From: lucas castro <lucascastroborges@xxxxxxxxx>

      > Date: Fri, Jan 15, 2016 at 2:54 PM

      > Subject: Re:  Squid https bump and google apps

      > To: Amos Jeffries <squid3@xxxxxxxxxxxxx>

      
      > Amos, I'm already using squid-3.5.13 with sni,

      > the problem is, google use the same certificate for
      youtube.com, google.com

      > and some others.

      > Or Am I doing something wrong?

      Yes. SSL Bump is _not_ main ACL tool. So, use SNI as geberal ACL
      is bad idea.

      
      Right way is:

      
      - Using bump to make FQDN visible and, next

      - Using general ACL to access control _or_

      - Using redirector to filter out URL's.

      
      > On Fri, Jan 15, 2016 at 2:33 PM, Amos Jeffries
      <squid3@xxxxxxxxxxxxx> wrote:

      
      >> On 16/01/2016 3:35 a.m., Lucas Castro wrote:

      >>> I've hard worked against google applications,

      >>> The points is, google use the same certificate for a
      bunch of different

      >>> apps,

      >>> like google.com, youtube.com, drive.google.com.

      >>> I'd like to know if someone already got terminated
      youtube.com and

      >>> keep working google.com and others services.

      >>

      >> It is possible. Using the Squid-3.5 peek-and-splice
      feature with SNI

      >> detection.

      >>

      >> Amos

      >>

      >> _______________________________________________

      >> squid-users mailing list

      >> squid-users@xxxxxxxxxxxxxxxxxxxxx

      >> http://lists.squid-cache.org/listinfo/squid-users

      >>

      
      > _______________________________________________

      > squid-users mailing list

      > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > http://lists.squid-cache.org/listinfo/squid-users

      
    >

      >

      >

      > _______________________________________________

      > squid-users mailing list

      > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > http://lists.squid-cache.org/listinfo/squid-users

    
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users