Alex would like to say, splice, when implemented, more easy to
maintenance than iptables/firewall rules.

It's trivial to implement. Here is my config snippet:

# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

acl.ur.nobump fragment:

# Adobe updates (web installation)
# This requires to splice due to SSL-pinned web-downloader

As Alex said, splice list require to maintenance all time.

Common rule is:

- Each SSL Pinning site must be spliced.

- Each OCSP stapling site must be spliced.

- Each site could not be bumped should spliced.

Feel free to make RTFM first:

12.03.2018 00:39, Nicolas Kovacs пишет:
> Le 11/03/2018 à 16:48, Alex Crow a écrit :
>> It would be a lot easier to just create exceptions on the squid device
>> for sites where bumping doesn't work which cause then to be tunnelled or
>> spliced rather then bumped. You can then at least use dstdomain or
>> ssl:servername rules. dstdomain will let you tunnel or splice, whereas
>> ssl servername you will only be able to splice as an SSL connection must
>> already have been started AFAIK. Your firewall will probably need
>> restarting every time one of the IP addresses behind those hostnames
>> changes. Squid will at least do a lookup every request for dstdomain
>> (you need a good DNS server nearby or on the squid box).
> What would this configuration look like? Do you have a working example?
> Niki

"C++ seems like a language suitable for firing other people's legs."

* C++20 : Bug to the future *

Attachment: signature.asc
Description: OpenPGP digital signature

squid-users mailing list

Reply via email to