Search squid archive

Re: Squid ACL for bypassing ssl-bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/25/21 2:07 PM, Justin Michael Schwartzbeck wrote:

> I have thus far used dstdomain acl for bypassing ssl bump on sites that
> we don't want to decrypt, like banking sites. It seems to work for some
> sites, but not for others.

Yes, many HTTPS transactions do not expose destination domain until it
is too late to decide whether to bump them, and reverse DNS lookups are
often unreliable.


> I was thinking about this, and it seems to me that if we are using the
> squid proxy with a dns server, we should be able to check the dns cache
> for that IP, and find the associated hostname, and then match against that.

When you use dstdomain, Squid will do a (reverse) DNS query for you as
necessary (including DNS cache lookups) unless you specify a -n option
that is documented to disable all such operations.


In many cases, you should be using ssl::server_name instead of dstdomain
or dst ACL, but you may have to use a combination of various ACLs to
cover all the cases you care about.


HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux