On 06/07/11 18:34, Deniz Eren wrote:
Hi;
Can you give me an idea from where to start in order to pass https
traffic unprocessed through squid or implement SNI filtering for
squid, that will be enough to start my project.
Thanks in advance..
We have not yet gotten around to implementing a "ssl" flag on http_port
directives. You will need to start with that to allow detection of the
case where ssl traffic is intercepted on a port.
You will need to adjust TunnelStateData so that you can create it with
only a Comm::Connection object instead of a ClientHttpRequest or
HttpRequest object.
You will need to then figure out what changes to ConnStateData are
needed to detect the intercept+ssl flags case and do SNI instead of
parsing an HTTP request. Have it spawn a TunnelStateData object to do
the actual bit-relay work. Somehow making sure the whole SSL sequence
including SNI data arrive properly at the destination server without
getting lost or swallowed by Squids processing.
Good luck.
On Mon, Jul 4, 2011 at 3:04 PM, Deniz Eren<[email protected]> wrote:
Hi;
I'm planning to work on an acl which uses SNI. But I need to pass
https traffic through squid without processing it. Because I'm not
interested in filtering or seeing the content, SNI server_name info
will be enough. But with squid it is not possible to pass https
traffic without processing it. In my design I won't use proxy, the
iptables rule below will redirect https traffic to squid:
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT
--to-destination 192.168.0.1:3128
Can you give me ideas how to solve above problem? And also are you
working on SNI filtering?
Good day to you..
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.9
