Thanks Amos,
So does that mean for all my SSL::server_name ACLs, I should be using SSL_bump and not http_access
On Sat, 21 May 2022, 06:10 Amos Jeffries, <squid3@xxxxxxxxxxxxx> wrote:
On 20/05/22 23:26, robert k Wild wrote:
> Sorry I'm a bit thick
>
Don't be. These things beyond plain-text HTTP are unfortunately a bit
complex.
The key thing to remember is that Squid is dealing with *layers* of
protocols wrapped around each other.
This wiki page
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Terminology>
documents the process as well as we can.
> So I've read SSL::server_name_regex which uses sni is better than
> dstdomain_regex
>
> So I think I'm better of using the sni one then ?
>
Neither is "better". They check different things.
Usually checking _both_ is useful since "HTTPS" is an HTTP request (with
domain) wrapped inside TLS (with SNI). The two values there are usually
supposed to be the same, but may not be.
The ssl_bump access controls should check ssl::server_name* ACLs.
The http_access should check dst* ACLs for HTTP message URL, and may
also check ssl::* ACLs for TLS details (including the TLS server name).
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
