On Sun, 2016-04-03 at 21:18 -0700, Jok Thuau wrote: > I'm attempting to build a transparent proxy (policy based routing on > firewall to squid proxy) with the following behavior: > > > > 1) proxies http traffic for a given set of domains, provide an message > otherwise such "domain not allowed" or similar > 2) proxies https traffic for a given set of domains (ideally, splicing > those, so as not to break HSTS, if enabled), otherwise provide an > error message (bumping and providing "domain not allowed") > > > > I'm attempting this with a 3.5.15 compiled with icap (not yet used) > and ssl-bumping. > > > Part 1 seems easy enough (and is well documented)... > > > acl whitelist dstdomain .domain1.tld > > acl whitelist dstdomain .domain2.tld > > > acl http_ok all-of whitelist !SSL_ports > > > http_access allow http_ok > http_access deny all > > > Moving onto Part 2 (the peek and splice setup) appears to be the topic > of a few discussions out there... > > > acl sni_whitelist ssl::server_name .domain1.tld > acl sni_whitelist ssl::server_name .domain2.tld > > > ssl_bump peek step1 > ssl_bump splice sni_whitelist > ssl_bump bump all > > > It appears however that when combining the two, the generated > certificate(s), instead of mimic'ing the original server's certificate > comes out with the CN=<IP> where <IP> is the ip used by the "connect" > part of the connection. In addition, it appears that only the first > entry ever matches (at this point, i've tried so many combinations, > i'm no longer certain of anything). > > > If i remove *all* the http_access lines, then the behavior appears > correct (from a "splicing/bumping" standpoint). > > > Can anyone confirm that this is indeed possible to achieve? > > > I believe, based on experimentation that any http_access i have, > because of the "deny all" cause the bumping to "short circuit" and > effectively send an early "access denied" based on the only > information it has (the ip address from the "connect", rather than the > SNI that would come later). > > > Would a setup where "deny http+!whitelist" so have the allow be the > default allow for the bumping to work and get to step2 and match the > sni* acls somehow? (with a "deny step2 !sni_whitelist"). > > > Is 3.5.15 capable of doing this? If this requires some feature/effort, > what would be the procedure to sponsor that work? > > > Thanks, > Jok > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
This may assist: http://article.gmane.org/gmane.comp.web.squid.general/114389 James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users