Hi Deniz,
You can not use SSL SNI in squid unless you are intercepting the SSL
connection. So you need to touch the sslbump related code. I think you
should touch the httpsAccept function which is implemented in
client_side.cc file.
Some time ago created an experimental SNI patch which funded by
Measurement Factory which worked with intercepted connections and if I
am correct worked quite well with some restrictions (which may can be
resolved).
In the case you are interested contact Alex Rousskov and Measurement
Factory.
Regards,
Christos
On 08/03/2011 11:38 AM, Deniz Eren wrote:
Hi again;
I have changed tunnelStart(...) function a bit and now I can create
fake HTTP request without depending on ClientHttpRequest, but problem
is I could not find the right place to intercept connection and use
tunnelStart(...) to forward HTTPS packets through squid. Can you give
me ideas where to call tunnelStart(...) function and after that how to
continue? (By the way I am doing all these stuff with squid-3.1.14).
Good day to you..
Amos Jeffries<squid3 () treenet ! co ! nz>
We have not yet gotten around to implementing a "ssl" flag on http_port
directives. You will need to start with that to allow detection of the
case where ssl traffic is intercepted on a port.
You will need to adjust TunnelStateData so that you can create it with
only a Comm::Connection object instead of a ClientHttpRequest or
HttpRequest object.
You will need to then figure out what changes to ConnStateData are
needed to detect the intercept+ssl flags case and do SNI instead of
parsing an HTTP request. Have it spawn a TunnelStateData object to do
the actual bit-relay work. Somehow making sure the whole SSL sequence
including SNI data arrive properly at the destination server without
getting lost or swallowed by Squids processing.
Good luck.
On Wed, Jul 6, 2011 at 9:34 AM, Deniz Eren<[email protected]> wrote:
Hi;
Can you give me an idea from where to start in order to pass https
traffic unprocessed through squid or implement SNI filtering for
squid, that will be enough to start my project.
Thanks in advance..
On Mon, Jul 4, 2011 at 3:04 PM, Deniz Eren<[email protected]> wrote:
Hi;
I'm planning to work on an acl which uses SNI. But I need to pass
https traffic through squid without processing it. Because I'm not
interested in filtering or seeing the content, SNI server_name info
will be enough. But with squid it is not possible to pass https
traffic without processing it. In my design I won't use proxy, the
iptables rule below will redirect https traffic to squid:
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT
--to-destination 192.168.0.1:3128
Can you give me ideas how to solve above problem? And also are you
working on SNI filtering?
Good day to you..
