On 04/08/17 19:11, lucas.alvaro@xxxxxxxxxxx wrote:
Hi everyone,
I have a transparent proxy squid 3.5.26 with C-ICAP and here are the
important lines:
"
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://localhost:1344/echo
bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache
icap://localhost:1344/echo bypass=off
adaptation_access service_avi_resp allow all
#url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
#acl step1 at_step SslBump1
#acl step2 at_step SslBump2
#acl step3 at_step SslBump3
ssl_bump peek all
ssl_bump bump all
NP: Peeking at step 2 precludes bumping.
logformat squid %ssl::>sni
Please do not redefine the built-in format name "squid". Use a custom
name for custom formats.
adaptation_meta X-SNI "%ssl::>sni" all #or connect
#request_header_add X-SNI "%ssl::>sni" all
"
So i want to create an icap service like squidclamav but it must check
SNI not URLs.
Any particular reason why?
SNI has almost nothing to do with the HTTP messages (plural). It is
simply the name of the next-hop server (or proxy) they should be
delivered to on their way around the web.
I thought squidclamav was an antivirus, not a URL blocklist checker.
I peek all the steps to get sni and in the squid access log, sni is
printed .
I read that adaptation_meta can send anything from squid to icap but
clearly i use it incorretly: i can't see sni on icap access log or in
icap headers.
Your usage appears to be correct. I think there is no SNI being received
by Squid.
Does adaptation_meta create a icap headers ?
It does.
Or should i use
add_request_headers?
No, that would add HTTP headers to the outgoing messages (to server or
to client).
I know that squid can create a 2nd fake connect with sni but here again
icap just print the same connect 2 times
That is correct, however SNI is not always sent by clients. Squid can
only use what it is given.
If there is an SNI in that particular clientHello you have hit a bug in
Squid.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
