On Mon, 2015-06-01 at 12:12 +1000, Nathan Hoad wrote:
> Hello,
>
> Here are some excerpts of what I've used, and an example Python helper:
>
> https_port 60099 intercept ssl-bump tcpkeepalive
> cert=/path/to/cert.pem key=/path/to/key.pem options=NO_SSLv2,NO_SSLv3
> generate-host-certificates=on
>
> external_acl_type sni ttl=30 concurrency=X children-max=Y
> children-startup=Z %ssl::>sni /path/to/your/helper
>
> acl sni_exclusions external sni
> acl tcp_level at_step SslBump1
> acl client_hello_peeked at_step SslBump2
>
> ssl_bump peek tcp_level all
> ssl_bump splice client_hello_peeked sni_exclusions
> ssl_bump bump all
>
> Helper:
>
> import sys
>
> line = sys.stdin.read()
>
> # run loop until an empty read, which indicates the process should shut down.
> while line:
> concurrency_id, sni = line.split()
>
> if sni == 'wellsfargo.com':
> sys.stdout.write('%s OK\n' % concurrency_id)
> else:
> sys.stdout.write('%s ERR\n' % concurrency_id)
>
> line = sys.stdin.read()
>
> Hope that helps,
>
> Nathan.
>
> On 30 May 2015 at 01:14, James Lay <j...@slave-tothe-box.net> wrote:
> > On 2015-05-29 08:57 AM, Nathan Hoad wrote:
> >>
> >> Yes, I have it working on about a dozen deployments so far, using an
> >> external ACL to make bumping decisions based on the SNI server name
> >> and a few other things. No complaints from me, it Just Works.
> >> On 29/05/2015 5:50 pm, "sp_" <ap...@yandex.ru> wrote:
> >>
> >>> Hello,
> >>>
> >>> does anyone have the working squid 3.5 with intercept + https?
> >>> I've googled a lot, but seems there is no any positive experience
> >>> with it.
> >>>
> >>> --
> >>> View this message in context:
> >>>
> >>
> >> http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671432.html
> >>>
> >>> [1]
> >>> Sent from the Squid - Users mailing list archive at Nabble.com.
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> squid-users@lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users [2]
> >>
> >>
> >>
> >> Links:
> >> ------
> >> [1]
> >>
> >> http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671432.html
> >> [2] http://lists.squid-cache.org/listinfo/squid-users
> >>
> >> _______________________________________________
> >> squid-users mailing list
> >> squid-users@lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> > Nathan,
> >
> > Care to post your config and external helper? I know I'd love to see
> > concrete examples. Thank you.
> >
> > James
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
Thank you Nathan.
James
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
