Re: HTTPS pass through / SNI filtering

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 06 Jul 2011 20:36:55 +1200

On 06/07/11 18:34, Deniz Eren wrote:
> Hi;
>
> Can you give me an idea from where to start in order to pass https
> traffic unprocessed through squid or implement SNI filtering for
> squid, that will be enough to start my project.
>
> Thanks in advance..
>

We have not yet gotten around to implementing a "ssl" flag on http_port
directives. You will need to start with that to allow detection of the
case where ssl traffic is intercepted on a port.

You will need to adjust TunnelStateData so that you can create it with
only a Comm::Connection object instead of a ClientHttpRequest or
HttpRequest object.

You will need to then figure out what changes to ConnStateData are
needed to detect the intercept+ssl flags case and do SNI instead of
parsing an HTTP request. Have it spawn a TunnelStateData object to do
the actual bit-relay work. Somehow making sure the whole SSL sequence
including SNI data arrive properly at the destination server without
getting lost or swallowed by Squids processing.

Good luck.

>
> On Mon, Jul 4, 2011 at 3:04 PM, Deniz Eren<deniz_at_denizeren.net> wrote:
>> Hi;
>>
>> I'm planning to work on an acl which uses SNI. But I need to pass
>> https traffic through squid without processing it. Because I'm not
>> interested in filtering or seeing the content, SNI server_name info
>> will be enough. But with squid it is not possible to pass https
>> traffic without processing it. In my design I won't use proxy, the
>> iptables rule below will redirect https traffic to squid:
>>
>> iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT
>> --to-destination 192.168.0.1:3128
>>
>> Can you give me ideas how to solve above problem? And also are you
>> working on SNI filtering?
>>
>> Good day to you..
>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.9
Received on Wed Jul 06 2011 - 08:37:06 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 06 2011 - 12:00:03 MDT