Re: [squid-users] SSL_bump ACL for destdomain from Mr J Potter on 2014-02-04 (squid-users)

From: Mr J Potter <jpotter833_at_because.org.uk>
Date: Tue, 4 Feb 2014 13:10:36 +0000

I use a pac file that points some domains to an ssl-bump proxy and
some to a non-ssl bump. works for me:

function FindProxyForURL(url, host) {
        if (
                dnsDomainIs(host, ".because.org.uk") ||
                dnsDomainIs(host, ".bec.lan") ||
                dnsDomainIs(host, ".nbt.nhs.uk") ||
                isInNet(host,"10.15.0.0","255.255.0.0") ||
                isInNet(host,"127.0.0.1","255.0.0.0") ||
                isInNet(host,"127.0.0.1:1793", "255.0.0.0") ||
                isPlainHostName(host) ||
                dnsDomainIs(host, "iriscamera.bec.lan")
        ) {
                return "DIRECT";
        }
        if (
                dnsDomainIs(host,"youtube.com")
        ) {
                return "PROXY 10.15.244.40:3129"; // ssl bump youtube
        }

return "PROXY 10.15.244.26:3128"; // dont
bump anything else
}

Jim

On 4 February 2014 10:34, Yury Paykov <cry5tal_at_cry5tal.in> wrote:
> Hello, squid users, I'm currently having an issue trying to configure Squid
> (use 3.3) to bypass a handful of sites.
> I mean, i want squid to NOT bump the connection.
>
> I employ the following in the config :
>
> acl https_proxy dstdomain www.google.com
> acl https_proxy dstdomain google.ru
>
> ssl_bump none https_proxy
> ssl_bump server-first all
>
> This should work like "If google, do not bump, else ssl-bump the connection"
> However, it doesn't work as expected and instead bumps google as well
>
> When I used debugging, I saw that squid actually checks IP address and then
> - the PTR entry, where neither is *google* anything
>
> 2014/02/04 14:36:30.428| Acl.cc(336) matches: ACLList::matches: checking
> https_proxy
> 2014/02/04 14:36:30.428| Acl.cc(319) checklistMatches:
> ACL::checklistMatches: checking 'https_proxy'
> 2014/02/04 14:36:30.428| DomainData.cc(131) match: aclMatchDomainList:
> checking '173.194.71.94'
> 2014/02/04 14:36:30.428| DomainData.cc(135) match: aclMatchDomainList:
> '173.194.71.94' NOT found
> 2014/02/04 14:36:30.428| DomainData.cc(131) match: aclMatchDomainList:
> checking 'lb-in-f94.1e100.net'
> 2014/02/04 14:36:30.428| DomainData.cc(135) match: aclMatchDomainList:
> 'lb-in-f94.1e100.net' NOT found
>
>
> MY QUESTION IS - Is there a way to use CN information from server
> certificate which is retrieved with /server-first/ method? Can I construct
> an ACL rule based on it?
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-bump-ACL-for-destdomain-tp4664589.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Tue Feb 04 2014 - 13:10:46 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 04 2014 - 12:00:04 MST