Search squid archive

Re: Allow some domains to bypass Squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alex would like to say, splice, when implemented, more easy to
maintenance than iptables/firewall rules.

It's trivial to implement. Here is my config snippet:

# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/acl.url.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

acl.ur.nobump fragment:

# Adobe updates (web installation)
# This requires to splice due to SSL-pinned web-downloader
(get|platformdl|fpdownload|ardownload[0-9])\.adobe\.com
....

As Alex said, splice list require to maintenance all time.

Common rule is:

- Each SSL Pinning site must be spliced.

- Each OCSP stapling site must be spliced.

- Each site could not be bumped should spliced.

Feel free to make RTFM first:

https://wiki.squid-cache.org/Features/SslPeekAndSplice


12.03.2018 00:39, Nicolas Kovacs пишет:
> Le 11/03/2018 à 16:48, Alex Crow a écrit :
>> It would be a lot easier to just create exceptions on the squid device
>> for sites where bumping doesn't work which cause then to be tunnelled or
>> spliced rather then bumped. You can then at least use dstdomain or
>> ssl:servername rules. dstdomain will let you tunnel or splice, whereas
>> ssl servername you will only be able to splice as an SSL connection must
>> already have been started AFAIK. Your firewall will probably need
>> restarting every time one of the IP addresses behind those hostnames
>> changes. Squid will at least do a lookup every request for dstdomain
>> (you need a good DNS server nearby or on the squid box).
> What would this configuration look like? Do you have a working example?
>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux