Search squid archive

Re: Splice certain SNIs which served by the same IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

By the help of God.

If I'm using the self signed certificate that I created for the ssl bump, then the browser considers it as the same certificate for any domain I'm connecting to?

‫בתאריך יום ג׳, 22 בפבר׳ 2022 ב-7:35 מאת ‪Eliezer Croitoru‬‏ <‪ngtech1ltd@xxxxxxxxx‬‏>:‬
Thanks Christos,

I was aware of such things but haven't seen such a case.
Is there any way to "reproduce" this?
I believe it should be documented in the wiki.

Thanks,

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx

-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Christos Tsantilas
Sent: Monday, February 21, 2022 11:41
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Splice certain SNIs which served by the same IP

Hi Ben,

When HTTP/2 is used, requests for two different domains may served using
the same TLS connection if both domains are served from the same remote
server and use the same TLS certificate.
There is a description here:
    https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/

And a similar problem report here:
    https://bugs.chromium.org/p/chromium/issues/detail?id=1176673

Regards,
    Christos


On 14/2/22 3:49 μ.μ., Ben Goz wrote:
> By the help of God.
>
> Hi,
> Ny squid version is 4.15, using it on tproxy configuration.
>
> I'm using ssl bump to intercept https connection, but I want to splice
> several domains.
> I have a problem that when I'm splicing some google domains eg.
> youtube.com <http://youtube.com> then
> gmail.com <http://gmail.com> domain also spliced.
>
> I know that it is very common for google servers to host multiple
> domains on single server.
> And I suspect that when I'm splicing for example youtube.com
> <http://youtube.com> it'll also splices google.com <http://google.com>.
>
>   Here are my squid configurations for the ssl bump:
>
> https_port xxxx ssl-bump tproxy generate-host-certificates=on
> options=ALL dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA
>
> acl DiscoverSNIHost at_step SslBump1
>
> acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
> acl NoSSLInterceptRegexp ssl::server_name_regex -i
> "/usr/local/squid/etc/url-no-bump-regexp"
> ssl_bump splice NoSSLInterceptRegexp_always
> ssl_bump splice NoSSLIntercept
> ssl_bump splice NoSSLInterceptRegexp
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
>
>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux