[squid-users] SSL_bump ACL for destdomain

From: Yury Paykov <cry5tal_at_cry5tal.in>
Date: Tue, 4 Feb 2014 02:34:49 -0800 (PST)

Hello, squid users, I'm currently having an issue trying to configure Squid
(use 3.3) to bypass a handful of sites.
I mean, i want squid to NOT bump the connection.
 
I employ the following in the config :
 
acl https_proxy dstdomain www.google.com
acl https_proxy dstdomain google.ru
 
ssl_bump none https_proxy
ssl_bump server-first all
 
This should work like "If google, do not bump, else ssl-bump the connection"
However, it doesn't work as expected and instead bumps google as well
 
When I used debugging, I saw that squid actually checks IP address and then
- the PTR entry, where neither is *google* anything
 
2014/02/04 14:36:30.428| Acl.cc(336) matches: ACLList::matches: checking
https_proxy
2014/02/04 14:36:30.428| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'https_proxy'
2014/02/04 14:36:30.428| DomainData.cc(131) match: aclMatchDomainList:
checking '173.194.71.94'
2014/02/04 14:36:30.428| DomainData.cc(135) match: aclMatchDomainList:
'173.194.71.94' NOT found
2014/02/04 14:36:30.428| DomainData.cc(131) match: aclMatchDomainList:
checking 'lb-in-f94.1e100.net'
2014/02/04 14:36:30.428| DomainData.cc(135) match: aclMatchDomainList:
'lb-in-f94.1e100.net' NOT found
 
 
MY QUESTION IS - Is there a way to use CN information from server
certificate which is retrieved with /server-first/ method? Can I construct
an ACL rule based on it?

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-bump-ACL-for-destdomain-tp4664589.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Tue Feb 04 2014 - 10:35:33 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 04 2014 - 12:00:04 MST