Search squid archive

Re: disable https inspection for licensing some apps

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/18/22 12:28, robert k Wild wrote:


acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointercept.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
OK, the above configuration makes the splice/bump decision based on plain text information provided by the TLS client. 



and in the nointercept.txt
i have the url in there
ssl::server_name needs a host/domain name, not a regular URL. No URLs are exchanged in plain text between TLS client and the origin server.
Please note that, even after adjusting nointercept.txt to contain domain name(s), the above configuration may not always work in modern Squids: It will work when the client sends a matching domain name 

* in the CONNECT request headers (and sends no TLS SNI at all)
* in the CONNECT request headers and in TLS SNI
* in TLS SNI (the CONNECT request headers should not matter).
It will also work when a CONNECT request is using an IP address that reverse-resolves to a matching domain name (which is not overwritten by a mismatching SNI).
In all other cases, Squid will bump traffic even if it is ultimately going to the server named in nointercept.txt.
There is no configuration that will address all possible cases in general. TLS makes that impossible (at least not without probing TLS origin servers which is something Squid does not do yet). 


HTH,

Alex.



, also i have it in the url white list so it can actually see the url

is there something else i need to add for this to work

or maybe some websites ie license website just dont like it going through a proxy
On Wed, 18 May 2022 at 16:57, robert k Wild <robertkwild@xxxxxxxxx <mailto:robertkwild@xxxxxxxxx>> wrote: 

    hi all,

    i have squid proxy configured as ssl bump and i white list some
    websites only

    but for some websites i dont want to inspect https traffic as it
    breaks the cert when i want to license some apps via the url
    (whitelist url)

    how can i disable https inspection for some websites please

    many thanks,
    rob
-- Regards, 

    Robert K Wild.



--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux