On 1/3/21 10:17 AM, NgTech LTD wrote: > As i noticed in the past it seems that for a good splice and or bump I > need the any-of acl to be used. > Its a bit different then the way squid acls work in general. The ACLs in ssl_bump rules work exactly the same as ACLs in other directives. The any-of ACL is not required for ssl_bump or any other directive. That ACL can indeed be helpful in writing good ssl_bump and many other rules. Side note: While bumping is often required for blocking traffic, and splicing often implies allowing traffic, those actions/decisions are often quite distinct. Do not ignore http_access rules while working on ssl_bump rules -- Squid consults _both_ sets of rules, first during step1 and then again during step2! HTH, Alex. > On Sun, Jan 3, 2021, 17:06 Amos Jeffries wrote: > > On 4/01/21 3:12 am, ngtech1ltd wrote: > > I am looking for domains lists that can be used for squid to be PCI > > Certified. > > > > I have read this article: > > https://www.imperva.com/learn/data-security/pci-dss-certification/ > > > > And couple others to try and understand what might a Squid proxy > ssl-bump > > exception rules should contain. > > So technically we need: > > - Banks > > - Health care > > - Credit Cards(Visa, Mastercard, others) > > - Payments sites > > - Antivirus(updates and portals) > > - OS and software Updates signatures(ASC, MD5, SHAx etc..) > > > > * https://support.kaspersky.com/common/start/6105 > > * > > > https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e > > set-product-with-a-third-party-firewall > > * > > > https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s > > > 55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc > > > p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals > > > e&showHeader=false&rightWidth=0%25¢erWidth=100%25#!%40%40%3FshowFooter%3 > > > Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2 > > > 525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3 > > D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9 > > > > > > If someone has the documents which instructs what domains to not > inspect it > > would also help a lot. > > > > Are you trying to get Squid certified as a PCI WAF agent? > or as security infrastructure agent? > or as general networking agent? > > These roles matter in regards to the PCI requirement to detect > malicious > transactions. > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > http://lists.squid-cache.org/listinfo/squid-users > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
