I'm currently using Bump-Server-First, but I'm fiddling with Bump/Peek/Splice and have uncovered some compatibility problems with the way I'm currently doing things, so I'm hoping for some advice:
To enforce Google's Safe Search, Google recommends setting up a CNAME in the local DNS server to redirect requests for www.google.com to forcesafesearch.google.com. A DNS change like that would apply to the whole network and I want to only apply it to certain users, so I'm doing this a slightly different way: The "CONNECT www.google.com" request gets sent to an ICAP REQMOD method, which rewrites it to "CONNECT forcesafesearch.google.com", causing Squid to connect to the appropriate IP address. The rest of the request behaves as though the connection was to www.google.com - i.e. the HTTP requests within the bumped connection appear as https://www.google.com/... etc.
With Bump-Server-First, this works ok - the CN and SANs are copied from Google's original certificate into the forged cert, so as far as the browser is concerned the certificate is valid for www.google.com. However, with the new Bump functionality, the CN of the forged certificate appears to come from the (rewritten) CONNECT request, so the browser sees a CN of forcesafesearch.google.com.
Is there a better way of doing what I'm doing?What is the reasoning behind the change to using the name from the CONNECT string, rather than copying it from the server's certificate, or have I misconfigured something? Notably, some applications CONNECT to the IP address rather than the server's host name, but would still expect the certificate's CN to be the server's hostname.
A related second question is that obviously when transparently proxying traffic, the host name isn't available in the CONNECT request, so the above rewrite method doesn't work anyway. I'm using an external ACL at Bump Step 2 to look at the SNI that's obtained from the client handshake and decide whether to bump - is there any way for the external ACL to change the IP address that Squid will connect to, to replicate the rewrite above?
Also, I've noticed that the "%un" external ACL format code is never being filled with the user name when calling an external ACL during bump step 2, even though the request has been authenticated.
Any advice gratefully received, looks like I'm spending next week working through these issues. :)
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:[email protected] Email: [email protected] Phone: sip:[email protected] Sales / enquiries contacts: Email: [email protected] Phone: +44-1792-824568 / sip:[email protected] Support contacts: Email: [email protected] Phone: +44-1792-825748 / sip:[email protected]
<<attachment: steve.vcf>>
_______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
