Re: [squid-users] ssl-bump mode

On 10/08/2013 01:35 AM, Jury Bogdanov wrote:

> To isolate the IP's I need to know all of them. But I don't know all
> IP's. Some domains have a lot of IP's. Squid can't resolve the IP's?

Squid can (and does) perform a reverse DNS lookup when the request uses
an IP address and your ACL is using a domain name. Whether that reverse
DNS lookup is successful at all, or whether its result (the domain name)
matches your domain-based ACL value is outside of Squid control. The
former depends primarily on the authoritative DNS zone setup. The latter
depends on that zone and on your ACL.

You can try performing reverse lookups yourself using the logged IP
address and command tools like dig. Squid results may differ, but often
do not, especially if both Squid and your command line tool are
configured to use the same DNS resolver.

Many popular sites use dozens of IP addresses, some of which cannot be
resolved back to the site name. IP:domain may also depend on the
physical location of the DNS client (i.e., Squid). I know some admins
that write complicated distributed scripts that try to maintain a
IP:domain map for some special cases of very popular sites and use that
in their bumping rules...

Good luck,

Alex.

> 2013/10/8 Amos Jeffries <squid3_at_treenet.co.nz>:
>> On 8/10/2013 8:07 a.m., Jury Bogdanov wrote:
>>>
>>> Yeah, you was right. When I replaced
>>> ssl_bump server-fist vk
>>>
>>> With
>>> ssl_bump server-first all
>>> it works. But I can't understand how to fix that. I don't want bump
>>> all connections.
>>
>>
>> That change was just a test to verify Alex theory was correct.
>>
>> For the final config you need to find some ACL condition or test that
>> matches the traffic you want to match. You can do so with mutiple ssl_bump
>> lines and/or ACLs if necessary.
>>
>> The specifics are up to you, but it sounds like to need to isolate the IP's
>> for that domain and permit bumping for them as well as for its domain name.
>>
>> Amos
Received on Tue Oct 08 2013 - 19:25:43 MDT