>> Hi everyone,
>> I have a transparent proxy squid 3.5.26 with C-ICAP and here are the
>> important lines:
>> icap_enable on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_header X-Authenticated-User
>> icap_preview_enable on
>> icap_preview_size 1024
>> icap_service service_avi_req reqmod_precache icap://localhost:1344/echo
>> adaptation_access service_avi_req allow all
>> icap_service service_avi_resp respmod_precache
>> icap://localhost:1344/echo bypass=off
>> adaptation_access service_avi_resp allow all
>> #url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
>> http_port 3128
>> http_port 3129 intercept
>> https_port 3130 intercept ssl-bump \
>> cert=/etc/squid/ssl_cert/myCA.pem \
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
>> #acl step1 at_step SslBump1
>> #acl step2 at_step SslBump2
>> #acl step3 at_step SslBump3
>> ssl_bump peek all
>> ssl_bump bump all
>NP: Peeking at step 2 precludes bumping.
>> logformat squid %ssl::>sni
>Please do not redefine the built-in format name "squid". Use a custom
>name for custom formats.
Ok it will be done
>> adaptation_meta X-SNI "%ssl::>sni" all #or connect
>> #request_header_add X-SNI "%ssl::>sni" all
>> So i want to create an icap service like squidclamav but it must check
>> SNI not URLs.
>Any particular reason why?
> SNI has almost nothing to do with the HTTP messages (plural). It is
> simply the name of the next-hop server (or proxy) they should be
> delivered to on their way around the web.
>I thought squidclamav was an antivirus, not a URL blocklist checker.
You're right: squidclamav is an antivirus but there are much more services,
actually he can check url and match them to blacklist or whitelist.
I don't want to decrypt https trafic but i want to know where the client is
trying to connect. I thought SNI was the only way to know the server name and
the domain without decrypting anything.
Final goal is to blacklist for exemple google and when sni indicates
www.google.com, c-icap denies the access.
>> I peek all the steps to get sni and in the squid access log, sni is
>> printed .
>> I read that adaptation_meta can send anything from squid to icap but
>> clearly i use it incorretly: i can't see sni on icap access log or in
>> icap headers.
> Your usage appears to be correct. I think there is no SNI being received
> by Squid.
That's problematic because in my squid access log there are "www.youtube.com"
"www.google.com", that's exactly what i'm tryng to pass to c-icap. Seems like
squid receives the sni.
>> Does adaptation_meta create a icap headers ?
>> Or should i use
>No, that would add HTTP headers to the outgoing messages (to server or
>> I know that squid can create a 2nd fake connect with sni but here again
>> icap just print the same connect 2 times
>That is correct, however SNI is not always sent by clients. Squid can
>only use what it is given.
>If there is an SNI in that particular clientHello you have hit a bug in
Thanks Amos for the reply.
squid-users mailing list