23.09.15 17:07, Matus UHLAR - fantomas пишет:
Hello,
On 17.09.15 18:47, Yuri Voinov wrote:
acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.*
kaspi\.kz
ssl_bump splice NoSSLIntercept
# Privoxy+Tor access rules
never_direct allow tor_url
cache_peer_access 127.0.0.1 allow tor_url
18.09.15 21:22, Matus UHLAR - fantomas пишет:
I wonder if the never_direct and cache_peer_access should not use
the same
acl as "ssl_bump splice".
On 20.09.15 20:59, Amos Jeffries wrote:
Maybe for values but ssl::server_name ACL may not work outside ssl_bump.
It might, or it might not be usable by the other *_access rules and
depends on whether the matching decisions for those rule sets is the
same for the ssl_bump ones. That latter condition is a big 'IF'.
I wonder how does this match. The SNI should be only seen when the https
connection is received, either by intercepting https or client using
HTTPS
to connect proxy. on unintercepted HTTP port that received CONNECT
request,
it would only see the CONNECT string, e.g. "CONNECT kaspi.kz:443",
correct?
About SNI - not fact. When I completely turn off SSL bump, this looks
like the same. Also, testing server is non-interception proxy, just
forwarding.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
