On 20/05/22 23:26, robert k Wild wrote:
Sorry I'm a bit thick
Don't be. These things beyond plain-text HTTP are unfortunately a bit
complex.
The key thing to remember is that Squid is dealing with *layers* of
protocols wrapped around each other.
This wiki page
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Terminology>
documents the process as well as we can.
So I've read SSL::server_name_regex which uses sni is better than
dstdomain_regex
So I think I'm better of using the sni one then ?
Neither is "better". They check different things.
Usually checking _both_ is useful since "HTTPS" is an HTTP request (with
domain) wrapped inside TLS (with SNI). The two values there are usually
supposed to be the same, but may not be.
The ssl_bump access controls should check ssl::server_name* ACLs.
The http_access should check dst* ACLs for HTTP message URL, and may
also check ssl::* ACLs for TLS details (including the TLS server name).
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
