On 19/09/2015 4:48 a.m., Yuri Voinov wrote: > > 18.09.15 21:22, Matus UHLAR - fantomas пишет: >> from earlier e-mail: > >>> acl tor_url url_regex "C:/Squid/etc/squid/url.tor" > >> On 17.09.15 18:47, Yuri Voinov wrote: >>> acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz >>> ssl_bump splice NoSSLIntercept > >>> # Privoxy+Tor access rules >>> never_direct allow tor_url > >>> cache_peer_access 127.0.0.1 allow tor_url > >> I wonder if the never_direct and cache_peer_access should not use the same >> acl as "ssl_bump splice".
Maybe for values but ssl::server_name ACL may not work outside ssl_bump. It might, or it might not be usable by the other *_access rules and depends on whether the matching decisions for those rule sets is the same for the ssl_bump ones. That latter condition is a big 'IF'. >> Also, the regex \.icq\.* will apparently never match, there should be > "\.icq\..*" or simply "\.icq\." > This match ICQ.COM HTTP over 443 port. No. "icq.com" does not contain the string ".icq" (not the initial '.'). It will match any SNI, CONNECT URI, or server certificate SubjectAltName field containing the string ".icq" or ".icq.". ... but not the plain name "icq.com". To match "icq.com" and all its sub-domain requests (ie. regex equivalent of "dstdomain .icq.com") the correct regex is: (.*\.)?icq\.com$ > >> ...regex should match inside the server_name, correct? >> in such case apparently kaspi\.kz should be "kaspi\.kz$" > no. This must match kaspi\.ks.* > And this match. Correct, assuming the 's'/'z' difference was a typo. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
