Hi everyone,
I have a transparent proxy squid 3.5.26 with C-ICAP and here are the important lines:
"icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://localhost:1344/echo bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://localhost:1344/echo bypass=off
adaptation_access service_avi_resp allow all
#url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://localhost:1344/echo bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://localhost:1344/echo bypass=off
adaptation_access service_avi_resp allow all
#url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
#acl step1 at_step SslBump1
ssl_bump peek all
ssl_bump bump all
logformat squid %ssl::>sni
adaptation_meta X-SNI "%ssl::>sni" all #or connect
http_port 3129 intercept
https_port 3130 intercept ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
#acl step2 at_step SslBump2
#acl step3 at_step SslBump3
ssl_bump bump all
logformat squid %ssl::>sni
adaptation_meta X-SNI "%ssl::>sni" all #or connect
#request_header_add X-SNI "%ssl::>sni" all
"
So i want to create an icap service like squidclamav but it must check SNI not URLs.
I peek all the steps to get sni and in the squid access log, sni is printed .
I read that adaptation_meta can send anything from squid to icap but clearly i use it incorretly: i can't see sni on icap access log or in icap headers.
Does adaptation_meta create a icap headers ? Or should i use add_request_headers?
I know that squid can create a 2nd fake connect with sni but here again icap just print the same connect 2 times
Thanks,
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users