On 11/03/18 23:54, Nicolas Kovacs wrote: > Le 11/03/2018 à 11:17, Amos Jeffries a écrit : >> The process is not getting anywhere close to caching being relevant. The >> error you mentioned earlier is in the TLS handshake part of the process. > > I've experimented some more, and I have a partial success. Here, I'm > redirecting all HTTPS traffic *except* the one that goes to my bank: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d > www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 > > This works because my bank is hosted on a single IP. As soon as I > replace that with a domain that's hosted on multiple IP's, I get this: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com > --dport 443 -j REDIRECT --to-port 3129 > > # firewall.sh > iptables v1.4.21: ! not allowed with multiple source or destination IP > addresses > > So my question is: how can I write an iptables rule (or series of rules) > that redirect all traffic to my proxy, *except* the one going to > <list_of_domains> ? The whois system can provide info on the IP ranges owned by the companies like Google which own their own ranges. The alternative for ssl-bump is the splice action. For that you only need to know the server names each company uses. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
