Re: [squid-users] Fwd: detect user agent for ssl_bump using transparent mode on squid 3.3.3

From: Alex Rousskov <>
Date: Fri, 12 Apr 2013 13:06:37 -0600

On 04/12/2013 08:30 AM, Marcello Coutinho wrote:

> I'm trying to create some acls based on client browsers following
> instructions from
> But those works only in non-transparent mode.
> Is there a way to get around this, a squid options for example?
> The access log file shows user's browser while using combined logs but
> it seems that ssl_bump checks are done before user agent info.

When you intercept SSL, the decision on whether to bump the intercepted
SSL connection is done using TCP-level information. Once Peek and Splice
is ready, SSL Hello information will also be available (at the cost of
having to splice the client and server connections back after fiddling
with them).

Squid will never be able to make bumping (or splicing) decision based on
HTTP User-Agent header because, to get that header, Squid must first
bump the intercepted connection. In interception environment, there is
no unencrypted CONNECT request to get the User-Agent header from...


Received on Fri Apr 12 2013 - 19:06:57 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 13 2013 - 12:00:26 MDT