Re: [squid-users] ssl-bump mode

From: Jury Bogdanov <>
Date: Wed, 9 Oct 2013 11:53:43 +0300

Thanks Alex and Amos.
I`m using now two acl's: dst and dstdomain. It's work fine.

Shawn, no I want bump more domains. Yes,I thought about this method.
My first message was an example.

2013/10/8 shawn wilson <>:
> If I understand correctly, you want to bump IPs from one domain, right?
> In your iptables rule, before it is redirected to squid, either have a
> jump with a list of IPs for that domain (or preferable an ipset list)
> and update that list with an external script (cron job or whatever).
> It's also possible to use a DNS server like powerdns that allows for
> different backends and could do this for you basically live (the name
> resolution is made before the request so if the rule is in place
> before the request you're set).
> Yeah, I'm speaking pretty abstract as this will be a bit of work but
> quite doable.
> On Tue, Oct 8, 2013 at 3:25 PM, Alex Rousskov
> <> wrote:
>> On 10/08/2013 01:35 AM, Jury Bogdanov wrote:
>>> To isolate the IP's I need to know all of them. But I don't know all
>>> IP's. Some domains have a lot of IP's. Squid can't resolve the IP's?
>> Squid can (and does) perform a reverse DNS lookup when the request uses
>> an IP address and your ACL is using a domain name. Whether that reverse
>> DNS lookup is successful at all, or whether its result (the domain name)
>> matches your domain-based ACL value is outside of Squid control. The
>> former depends primarily on the authoritative DNS zone setup. The latter
>> depends on that zone and on your ACL.
>> You can try performing reverse lookups yourself using the logged IP
>> address and command tools like dig. Squid results may differ, but often
>> do not, especially if both Squid and your command line tool are
>> configured to use the same DNS resolver.
>> Many popular sites use dozens of IP addresses, some of which cannot be
>> resolved back to the site name. IP:domain may also depend on the
>> physical location of the DNS client (i.e., Squid). I know some admins
>> that write complicated distributed scripts that try to maintain a
>> IP:domain map for some special cases of very popular sites and use that
>> in their bumping rules...
>> Good luck,
>> Alex.
>>> 2013/10/8 Amos Jeffries <>:
>>>> On 8/10/2013 8:07 a.m., Jury Bogdanov wrote:
>>>>> Yeah, you was right. When I replaced
>>>>> ssl_bump server-fist vk
>>>>> With
>>>>> ssl_bump server-first all
>>>>> it works. But I can't understand how to fix that. I don't want bump
>>>>> all connections.
>>>> That change was just a test to verify Alex theory was correct.
>>>> For the final config you need to find some ACL condition or test that
>>>> matches the traffic you want to match. You can do so with mutiple ssl_bump
>>>> lines and/or ACLs if necessary.
>>>> The specifics are up to you, but it sounds like to need to isolate the IP's
>>>> for that domain and permit bumping for them as well as for its domain name.
>>>> Amos
Received on Wed Oct 09 2013 - 08:53:57 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 09 2013 - 12:00:05 MDT