The alternative for ssl-bump is the splice action. For that you only
need to know the server names each company uses.


It would be a lot easier to just create exceptions on the squid device for sites where bumping doesn't work which cause then to be tunnelled or spliced rather then bumped. You can then at least use dstdomain or ssl:servername rules. dstdomain will let you tunnel or splice, whereas ssl servername you will only be able to splice as an SSL connection must already have been started AFAIK. Your firewall will probably need restarting every time one of the IP addresses behind those hostnames changes. Squid will at least do a lookup every request for dstdomain (you need a good DNS server nearby or on the squid box).

BTW, peek/splice/bump is not just install and forget. It needs maintenance and care in deployment.

Adding transparent into the mix makes it more difficult, as I can see you have found.

Try to keep the architecture as simple as you can and use each part to its best ability. Simple firewalls using hostnames for rules is a path to severe pain where round-robin is in place. Might be OK with a big, expensive FW appliance that has the ability to DNS lookup for every connection.



squid-users mailing list

Reply via email to