Alex would like to say, splice, when implemented, more easy to maintenance than iptables/firewall rules. It's trivial to implement. Here is my config snippet: # SSL bump rules acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/acl.url.nobump" ssl_bump peek DiscoverSNIHost ssl_bump splice NoSSLIntercept ssl_bump bump all acl.ur.nobump fragment: # Adobe updates (web installation) # This requires to splice due to SSL-pinned web-downloader (get|platformdl|fpdownload|ardownload[0-9])\.adobe\.com .... As Alex said, splice list require to maintenance all time. Common rule is: - Each SSL Pinning site must be spliced. - Each OCSP stapling site must be spliced. - Each site could not be bumped should spliced. Feel free to make RTFM first: https://wiki.squid-cache.org/Features/SslPeekAndSplice 12.03.2018 00:39, Nicolas Kovacs пишет: > Le 11/03/2018 à 16:48, Alex Crow a écrit : >> It would be a lot easier to just create exceptions on the squid device >> for sites where bumping doesn't work which cause then to be tunnelled or >> spliced rather then bumped. You can then at least use dstdomain or >> ssl:servername rules. dstdomain will let you tunnel or splice, whereas >> ssl servername you will only be able to splice as an SSL connection must >> already have been started AFAIK. Your firewall will probably need >> restarting every time one of the IP addresses behind those hostnames >> changes. Squid will at least do a lookup every request for dstdomain >> (you need a good DNS server nearby or on the squid box). > What would this configuration look like? Do you have a working example? > > Niki > -- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
