I believe it should have been: ^adobe\.com$ ^.*\.adobe\.com$ ^\*\.adobe\.com$ But I don’t know the code to this depth. If I would have written the match I think it would have been something a bit different. * A match for SNI * A joker match for SAN ie *.adobe.com SAN should catch both www.www.adobe.com <http://www.www.adobe.com> But for some reason it’s not like that, I assume the browsers and the libraries doesn’t implement it for an unknown reason. If Alex or anyone else from Factory knows the details of the ACL they can answer more then me. Thanks, Eliezer ---- Eliezer Croitoru NgTech, Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> Web: https://ngtech.co.il/ My-Tube: https://tube.ngtech.co.il/ From: robert k Wild <robertkw...@gmail.com> Sent: Tuesday, 2 August 2022 14:51 To: Eliezer Croitoru <ngtech1...@gmail.com> Cc: Squid Users <squid-users@lists.squid-cache.org> Subject: Re: [squid-users] regex for normal websites thanks Eliezer so it should be adobe\.com not .adobe.\com or ^.*adobe.com <http://adobe.com> as the ^.* could include blahadobe.com <http://blahadobe.com> On Thu, 28 Jul 2022 at 08:14, <ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> > wrote: Hey Robert, The docs at http://www.squid-cache.org/Doc/config/acl/ states: acl aclname ssl::server_name_regex [-i] \.foo\.com ... # regex matches server name obtained from various sources [fast] Which and I do not know exactly what it means but it will not work with a helper in most cases. I have found the in the git the next sources: https://github.com/squid-cache/squid/blob/bf95c10aa95bf8e56d9d8d1545cb5a3aafab0d2c/doc/release-notes/release-3.5.sgml#L414 New types ssl::server_name and ssl::server_name_regex to match server name from various sources (CONNECT authority name, TLS SNI domain, or X.509 certificate Subject Name). Which means that there is a set of checks which the acl does and not just a domain name. It’s also even possible that the domain name is not know in the CONNECT state of the connection. If I remember correctly there is a possibility for browsers to use the same exact connection for multiple domains but I have not seen this yet in production. With Squid once you bump the connection to HTTP/1.x you can make 100% sure the features of the Host header request. At Servername.cc ie: https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b4ef5688a0/src/acl/ServerName.cc#L81 There is a specific logic of what is done and what is matched but I am not sure what would be used in the case of: *.adobe.com <http://adobe.com> Certificate SAN. Specifically This part of the Common Names ie SAN: https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b4ef5688a0/src/acl/ServerName.cc#L105 which to my understanding points to: https://github.com/squid-cache/squid/blob/d146da3bfe7083381ae7ab38640cbfd0d2542374/src/ssl/support.cc#L195 doesn’t make any sense to me.( didn’t tried that much to understand) If someone might be able to make sense of things in a synchronic fashion it would help. (I do not see any debugs usage there or any helping comment ) Thanks, Eliezer ---- Eliezer Croitoru NgTech, Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> Web: https://ngtech.co.il/ My-Tube: https://tube.ngtech.co.il/ From: squid-users <squid-users-boun...@lists.squid-cache.org <mailto:squid-users-boun...@lists.squid-cache.org> > On Behalf Of robert k Wild Sent: Wednesday, 27 July 2022 13:52 To: Squid Users <squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org> > Subject: Re: [squid-users] regex for normal websites that's the weird thing, when i try this in "ssl::server_name_regex" .adobe.com <http://adobe.com> it doesnt work you mean escape ie the \ character On Wed, 27 Jul 2022 at 11:05, Matus UHLAR - fantomas <uh...@fantomas.sk <mailto:uh...@fantomas.sk> > wrote: On 27.07.22 10:54, robert k Wild wrote: >think i got it right but just want to double check with you guys > >so in my "ssl::server_name" i had >.adobe.com <http://adobe.com> > >that worked but i want to mix normal website and regex websites together so >i just have one list for all
didn't the above work? AFAIK it should, IIRC domain matching in squid matches "domain.com <http://domain.com> " if you check for ".domain.com <http://domain.com> ". >i now have this for "ssl::server_name_regex" >^.*adobe.com <http://adobe.com> $ > >it works, so im guessing its right the dot should be escaped -- Matus UHLAR - fantomas, uh...@fantomas.sk <mailto:uh...@fantomas.sk> ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org> http://lists.squid-cache.org/listinfo/squid-users -- Regards, Robert K Wild. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org> http://lists.squid-cache.org/listinfo/squid-users -- Regards, Robert K Wild.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
