> On 10/07/2013 09:19 AM, Alex Rousskov wrote:> On 10/07/2013 03:29 AM, Jury Bogdanov wrote:
>>> Hello. I have some problems with ssl-bump mode. Can you help me, please?
>>> My configuration:
>>
>>> https_port 192.168.56.100:3130 transparent ssl-bump
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> cert=/home/mut/squid.pem key=/home/mut/squid.key
>>> acl vk dstdomain .vk.com
>>> ssl_bump server-first vk
>>> http_access deny vk all
>>
>>> But I can open https://vk.com
On 10/07/2013 10:57 AM, Jury Bogdanov wrote:
> In access.log I see CONNECT request to vk's ip
Your vk ACL is not using an IP address, it is using a domain name. The
client is using an IP address in their CONNECT request (this is common
for some clients). It is likely that the reverse DNS lookup of vk's IP
either fails or does not match vk.com. As a result, the vk ACL in your
"ssl_bump server-first" rule does not match and the connection is not
bumped.
To check, you can replace
ssl_bump server-first vk
with
ssl_bump server-first all
and see if the CA certificate used to encrypt the response changes to
that of Squid.
BTW, for most purposes,
http_access deny vk all
is equivalent to
http_access deny vk
Please double check that that is what you expect/want.
HTH,
Alex.
P.S. Please keep this thread on the mailing list.
Received on Mon Oct 07 2013 - 17:35:53 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 08 2013 - 12:00:21 MDT