On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoi...@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You only have external helper (which is must wrote yourself) in 3.4.x. > > Are there any examples that I can look at to implemented this external helper for doing selective ssl_bumps. And what would this helper script do anyways? All we have is the destination IP address which is not really going to give us the actual HTTP hostname. > Works with domains in ssl bump fully available at least 3.5.x > Does the 3.5.x implementation decrypt the whole payload and then do the ssl_bump? The "peek" option seems to imply that only the HTTP headers are peeked at. I guess what I am asking is, is there any way we can do this without actually decrypting the payload? > > 12.03.15 21:01, Mukul Gandhi пишет: > > I am running squid 3.4.8 and am looking for solutions to ssl_bump > > for specific domains only. Going through the archives it is clear > > that it is not possible unless the reverse DNS points back to the > > domain that is to be ssl bumped. > > > > So then what is the solution to this problem. I just want to create > > a SSL whitelist of domains that are to be bumped and the rest > > should be tunneled through. What I have is - > > > > ssl_bump none localhost acl ssl_whitelist dstdomain > > "/tmp/ssl_whitelist.txt" ssl_bump server-first ssl_whitelist > > > > The file /tmp/ssl_whitelist.txt contains - > > > > .facebook.com .twitter.com .pintrest.com > > > > Of course, this doesn't work because the ip address for these > > websites points back to <something>.akamaitechnologies.com. > > > > All I want is to be able to decrypt just the traffic to these > > three web-sites, the rest should go through encrypted. But I > > couldn't find a solution for this anywhere in the archives. I did > > see some mention of using SslBump1/2/3 but it wasn't clear if this > > was the silver bullet. Also I would have to upgrade to 3.5 to use > > these new directives. > > > > Any idea how I can achieve this in 3.4.8 (if possible)? Or if I a > > solution exists for this in 3.5? > > > > Thanks, -Mukul > > > > > > > > _______________________________________________ squid-users mailing > > list squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJVAar2AAoJENNXIZxhPexGm5MH/0JUWgIjDrNb8+a0b66iyY+x > uWgoNnGqBKL/gzQt3AmKv3P31/3Vc8wCpMlSd3HpOSeyOtJ4pYAqI3kw1o91kkEK > YJ1wGc4FN+8sxUplA9+Kz/XDxpxTFAvS4/9d5AUOmxCoi2PmIhThozl8X8fIMdv/ > 7shy+Ce9kKj/ozSievVaePxdH+OUd0fmdKtDrv1aenxQpclaZSkuwEflQ3idTYBu > zTpNP3AvEP4+32yb2W+mP4p1JgHwUAi60hEz3kP9pxd+Ym2kuZeFDF5ZV2x2/cKQ > iRpmS++2kOt0nIT074PhV8dzPfD1lZt7atQT+mBJhLvzlD5Sxvxqll7Z/dpQSSI= > =P+8j > -----END PGP SIGNATURE----- > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
