On 21/03/2016 10:29 a.m., Jason Haar wrote: > Hi there > > I'm wanting to use tls intercept to just log (well OK, and potentially > block) HTTPS sites based on hostnames (from SNI), but have had problems > even in peek-and-splice mode. So I'm willing to compromise and instead just > intercept that traffic, log it, block on IP addresses if need be, and don't > use ssl-bump beyond that. > > So far the following seems to work perfectly, can someone confirm this is > "supported" - ie that I'm not relying on some bug that might get fixed > later? ;-) > It is supporteed. > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB > sslcrtd_children 32 startup=15 idle=5 > acl SSL_https port 443 > ssl_bump splice SSL_https > acl BlacklistedHTTPSsites dstdomain > "/etc/squid/acl-BlacklistedHTTPSsites.txt" > http_access deny BlacklistedHTTPSsites > > The "bug" comment comes down to how acl seems to work. I half-expected the > above not to work - but it does. It would appear squid will treat an > intercept's dst IP as the "dns name" as that's all it's got - so > "dstdomain" works fine for both CONNECT and intercept IFF the acl contains > IP addresses This is because the ssl_bump rules are saying to splice immediately when only the pseudo-CONNECT with an IP address is known. If you use this: ssl_bump peek all ssl_bump splice all it will peek at the client SNI and server public cert details before dropping back to a transparent pass-tru. Then it will have that domain and any other non-encrypted details available for logging. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users