Hey Robert, The docs at http://www.squid-cache.org/Doc/config/acl/ states: acl aclname ssl::server_name_regex [-i] \.foo\.com ... # regex matches server name obtained from various sources [fast] Which and I do not know exactly what it means but it will not work with a helper in most cases. I have found the in the git the next sources: https://github.com/squid-cache/squid/blob/bf95c10aa95bf8e56d9d8d1545cb5a3aafab0d2c/doc/release-notes/release-3.5.sgml#L414 New types ssl::server_name and ssl::server_name_regex to match server name from various sources (CONNECT authority name, TLS SNI domain, or X.509 certificate Subject Name). Which means that there is a set of checks which the acl does and not just a domain name. It’s also even possible that the domain name is not know in the CONNECT state of the connection. If I remember correctly there is a possibility for browsers to use the same exact connection for multiple domains but I have not seen this yet in production. With Squid once you bump the connection to HTTP/1.x you can make 100% sure the features of the Host header request. At Servername.cc ie: https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b4ef5688a0/src/acl/ServerName.cc#L81 There is a specific logic of what is done and what is matched but I am not sure what would be used in the case of: *.adobe.com Certificate SAN. Specifically This part of the Common Names ie SAN: https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b4ef5688a0/src/acl/ServerName.cc#L105 which to my understanding points to: https://github.com/squid-cache/squid/blob/d146da3bfe7083381ae7ab38640cbfd0d2542374/src/ssl/support.cc#L195 doesn’t make any sense to me.( didn’t tried that much to understand) If someone might be able to make sense of things in a synchronic fashion it would help. (I do not see any debugs usage there or any helping comment ) Thanks, Eliezer ---- Eliezer Croitoru NgTech, Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> Web: https://ngtech.co.il/ My-Tube: https://tube.ngtech.co.il/ From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of robert k Wild Sent: Wednesday, 27 July 2022 13:52 To: Squid Users <squid-users@lists.squid-cache.org> Subject: Re: [squid-users] regex for normal websites that's the weird thing, when i try this in "ssl::server_name_regex" .adobe.com <http://adobe.com> it doesnt work you mean escape ie the \ character On Wed, 27 Jul 2022 at 11:05, Matus UHLAR - fantomas <uh...@fantomas.sk <mailto:uh...@fantomas.sk> > wrote: On 27.07.22 10:54, robert k Wild wrote: >think i got it right but just want to double check with you guys > >so in my "ssl::server_name" i had >.adobe.com <http://adobe.com> > >that worked but i want to mix normal website and regex websites together so >i just have one list for all
didn't the above work? AFAIK it should, IIRC domain matching in squid matches "domain.com <http://domain.com> " if you check for ".domain.com <http://domain.com> ". >i now have this for "ssl::server_name_regex" >^.*adobe.com <http://adobe.com> $ > >it works, so im guessing its right the dot should be escaped -- Matus UHLAR - fantomas, uh...@fantomas.sk <mailto:uh...@fantomas.sk> ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org> http://lists.squid-cache.org/listinfo/squid-users -- Regards, Robert K Wild.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
