Re: [squid-users] Re: squid with qlproxy on fedora 20 not working for https traffic

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 12 Jun 2014 22:18:05 +1200

On 12/06/2014 8:24 a.m., MrErr wrote:
> I got this working. The single change i made was adding the statement
>
> ssl_bump server-first all
>
> if i tried anything else other than "all" it did not work, https did
> filtering did not happen. Does anyone know if there is some kind of bug?

When server-first ACLs are tested for port 443 intercepted traffic Squid
has only pieces of information available:

1) client IP:port (src, src_regex, srcport ACLs - all, localnet
localhost work)

2) squid listening IP:port (myip, myport, and myportname ACL)

3) server IP:port the client tried connecting to (dst, dst_regex ACLs -
to_localhost works)

ssl_bump is a "fast" group ACL lookup so DNS resolution of those IP
address to domain names is not reliably available.

Your initial configuration relies on domain names being known, "all"
depends on src IP being known.

Amos
Received on Thu Jun 12 2014 - 10:18:24 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 13 2014 - 12:00:06 MDT