On 4/02/2014 11:34 p.m., Yury Paykov wrote:
> Hello, squid users, I'm currently having an issue trying to configure Squid
> (use 3.3) to bypass a handful of sites.
> I mean, i want squid to NOT bump the connection.
>
> I employ the following in the config :
>
> acl https_proxy dstdomain www.google.com
> acl https_proxy dstdomain google.ru
>
> ssl_bump none https_proxy
> ssl_bump server-first all
>
> This should work like "If google, do not bump, else ssl-bump the connection"
> However, it doesn't work as expected and instead bumps google as well
>
> When I used debugging, I saw that squid actually checks IP address and then
> - the PTR entry, where neither is *google* anything
>
> 2014/02/04 14:36:30.428| Acl.cc(336) matches: ACLList::matches: checking
> https_proxy
> 2014/02/04 14:36:30.428| Acl.cc(319) checklistMatches:
> ACL::checklistMatches: checking 'https_proxy'
> 2014/02/04 14:36:30.428| DomainData.cc(131) match: aclMatchDomainList:
> checking '173.194.71.94'
> 2014/02/04 14:36:30.428| DomainData.cc(135) match: aclMatchDomainList:
> '173.194.71.94' NOT found
> 2014/02/04 14:36:30.428| DomainData.cc(131) match: aclMatchDomainList:
> checking 'lb-in-f94.1e100.net'
> 2014/02/04 14:36:30.428| DomainData.cc(135) match: aclMatchDomainList:
> 'lb-in-f94.1e100.net' NOT found
>
That would be because the IP address is all Squid has to work with from
the TCP packet and the best domain that can be known is the PTR record.
FYI: 1e100.net is a google domain just as much as "google.com" etc.
Add " .1e100.net " to your dstdomain ACL and it will work better.
>
> MY QUESTION IS - Is there a way to use CN information from server
> certificate which is retrieved with /server-first/ method? Can I construct
> an ACL rule based on it?
Not until after the bumping happens.
Amos
Received on Tue Feb 04 2014 - 13:17:55 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 04 2014 - 12:00:04 MST