Thanks Amos, So does that mean for all my SSL::server_name ACLs, I should be using SSL_bump and not http_access
On Sat, 21 May 2022, 06:10 Amos Jeffries, <squ...@treenet.co.nz> wrote: > On 20/05/22 23:26, robert k Wild wrote: > > Sorry I'm a bit thick > > > > Don't be. These things beyond plain-text HTTP are unfortunately a bit > complex. > > The key thing to remember is that Squid is dealing with *layers* of > protocols wrapped around each other. > > This wiki page > <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Terminology> > documents the process as well as we can. > > > So I've read SSL::server_name_regex which uses sni is better than > > dstdomain_regex > > > > So I think I'm better of using the sni one then ? > > > > Neither is "better". They check different things. > > Usually checking _both_ is useful since "HTTPS" is an HTTP request (with > domain) wrapped inside TLS (with SNI). The two values there are usually > supposed to be the same, but may not be. > > The ssl_bump access controls should check ssl::server_name* ACLs. > > The http_access should check dst* ACLs for HTTP message URL, and may > also check ssl::* ACLs for TLS details (including the TLS server name). > > > HTH > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
