On 10/01/2016 10:26 p.m., Nir Krakowski wrote:
> 1. You're forgetting I only refer specific traffic using /etc/hosts to
> squid.
You missed my point.
1) clientConn is where the traffic *came from*. Not where it is going to.
2) Host: header verification is only relevant to MITM (intercept/tproxy
1. You're forgetting I only refer specific traffic using /etc/hosts to
squid.
2. What do you suggest ? I want to use the SNI as the direction of the
traffic, not the forwarded IP address.
On Sun, Jan 10, 2016 at 6:30 AM, Amos Jeffries wrote:
> On 9/01/2016 7:48 a.m., Nir Krakowski wrote:
> > Thi
On 9/01/2016 7:48 a.m., Nir Krakowski wrote:
> This is what needs to be done to get it to work in squid >3.5 in function
> ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const
> Dns::LookupDetails &dns):
>
Hell NO
clientConn is the state data about the TCP connection the m
This is what needs to be done to get it to work in squid >3.5 in function
ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const
Dns::LookupDetails &dns):
modify:
}
debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << "
possible from Host:");
to:
}
i
On 6/01/2016 8:30 a.m., Nir Krakowski wrote:
> how can you combine accel proxy with ssl-bump ?
>
To use accel mode the proxy needs to be an origin for the domain and
thus have access to the servers TLS private keys. If you have those keys
just use a normal https_port (note the 's') to receive the
What you need is peek and splice setup.
http://wiki.squid-cache.org/Features/SslPeekAndSplice
Eliezer
On 05/01/2016 22:50, Nir Krakowski wrote:
I'm trying to monitor outgoing connections but would not like to monitor
youtube because of volume.
This is for an enterprise so its definitely legal.
I'm trying to monitor outgoing connections but would not like to monitor
youtube because of volume.
This is for an enterprise so its definitely legal.
Nir.
On Tue, Jan 5, 2016 at 10:08 PM, Antony Stone <
antony.st...@squid.open.source.it> wrote:
> On Tuesday 05 January 2016 at 21:03:09, Nir Kra
On Tuesday 05 January 2016 at 21:03:09, Nir Krakowski wrote:
> eg: /etc/hosts
> mail.google.com 10.0.0.250
> as for the ssl certificate, I hope to self sign with a made up root CA.
What are you trying to achieve with this setup,
and have you checked whether it is legal in your country / organisa
because the destination IP is the actual machine IP.
eg: /etc/hosts
mail.google.com 10.0.0.250
that at 10.0.0.250
as for the ssl certificate, I hope to self sign with a made up root CA.
Nir.
On Tue, Jan 5, 2016 at 9:44 PM, Antony Stone <
antony.st...@squid.open.source.it> wrote:
> On Tuesday
On Tuesday 05 January 2016 at 20:30:06, Nir Krakowski wrote:
> how can you combine accel proxy with ssl-bump ?
Have you looked at http://www.squid-cache.org/Doc/config/http_port/ ?
You put the certificate (which would normally be on the web server) on the
Squid server (because that's the machin
how can you combine accel proxy with ssl-bump ?
the problem: intercept mode looks at IP addresses
requested solution: we need to look at the SNI info..
Anybody ever done this ?
Thanks,
Nir.
___
squid-users mailing list
squid-users@lists.squid-cache.or
11 matches
Mail list logo
