Search squid archive

Re: Splice certain SNIs which served by the same IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Christos,

I was aware of such things but haven't seen such a case.
Is there any way to "reproduce" this?
I believe it should be documented in the wiki.

Thanks,

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx

-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Christos Tsantilas
Sent: Monday, February 21, 2022 11:41
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  Splice certain SNIs which served by the same IP

Hi Ben,

When HTTP/2 is used, requests for two different domains may served using 
the same TLS connection if both domains are served from the same remote 
server and use the same TLS certificate.
There is a description here:
    https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/

And a similar problem report here:
    https://bugs.chromium.org/p/chromium/issues/detail?id=1176673

Regards,
    Christos


On 14/2/22 3:49 μ.μ., Ben Goz wrote:
> By the help of God.
> 
> Hi,
> Ny squid version is 4.15, using it on tproxy configuration.
> 
> I'm using ssl bump to intercept https connection, but I want to splice 
> several domains.
> I have a problem that when I'm splicing some google domains eg. 
> youtube.com <http://youtube.com> then
> gmail.com <http://gmail.com> domain also spliced.
> 
> I know that it is very common for google servers to host multiple 
> domains on single server.
> And I suspect that when I'm splicing for example youtube.com 
> <http://youtube.com> it'll also splices google.com <http://google.com>.
> 
>   Here are my squid configurations for the ssl bump:
> 
> https_port xxxx ssl-bump tproxy generate-host-certificates=on 
> options=ALL dynamic_cert_mem_cache_size=4MB 
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
> dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA
> 
> acl DiscoverSNIHost at_step SslBump1
> 
> acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
> acl NoSSLInterceptRegexp ssl::server_name_regex -i 
> "/usr/local/squid/etc/url-no-bump-regexp"
> ssl_bump splice NoSSLInterceptRegexp_always
> ssl_bump splice NoSSLIntercept
> ssl_bump splice NoSSLInterceptRegexp
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
> 
> 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux