On 13/07/2016 5:46 a.m., Moataz Elmasry wrote: > Hi Amos, > > I kinda solved the problem (Thanks to you!!!) > All what was needed is to peek the important domains in step2 in order not > to cause them harm and bump everything else in step3. In this case I'm able > to read the dns names in the redirect script and block them accordingly > > Here is the relevant part: > acl http_sites dstdomain play.google.com mydomain.com > acl https_sites ssl::server_name play.google.com mydomain.com > > ssl_bump peek step1 all > ssl_bump peek step2 https_sites > ssl_bump bump step3 all !https_sites #http_sites won't be bumped anyway. > But just to be sure > url_rewrite_access allow all !http_sites > > Of course I'm still not able to rewrite https address as discussed, but > this is a different story I guess. > > The SslPeekAndSplice wiki page needs serious rework though as many of the > stuff discussed here are not explained on the page, which makes life really > hard for noobs like me. Is there a way to contribute back a little bit by > reworking that wiki page? I'll try to write a small post about > the SslPeekAndSplice in the next few days. The answer to that is "yes, its a wiki so anyone in teh community can improve it". The need to register as an editor is just a spam prevention tactic. For that particular page the lack of details is partially intentional. Playing around with security protocols does requires a certain level of understanding. The page assumes that level of understanding is present first. But you are right the page does need some improvements. I would prefer though for this page if you proposed changes in the Discussion page associated with the SslPeekAndSplice page. Then the authors who understand the feature and TLS more fully can make the adjustments. Cheers Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
