On 13/05/2016 5:58 p.m., Reet Vyas wrote: > Hi Amos/Yuri, > > Currently my squid is configured with ssl bump, now I want to use peek and > splice. I read in some forum that we don't need to install certificate on > client's machine. >
Splice does not require it. But what you want to do with Squid may prevent splice being used. So "it depends" ... > As I have already asked before in mailing list to install SSL certificate > on Android devices, which is not working. > > So my question is If I want to use peek and splice for example I want https > filtering for ... on how you define "filter". > proxy websites Not sure what you mean by that term. > and I dont want ssl for bank websites and > facebook youtube and gmail. how will it work? Do i need to install SSL > certifcate on client or not, I am bit confused with peek and splice thing. When you intercept port 443 normally only the raw-IP is available from TCP. Peek allows Squid to get the server name the client was trying to connect to out of the TLS. So that Squid can handle the intercepted connection as if it had received a CONNECT message (which usually have server/domain names). Splicing can be thought of as handling a intercepted port 443 connection as if it were a CONNECT message, with no decryption. It is treated as a single "thing", with some limited control possibilities. So... In order to bump (decrypt) some traffic and splice (not decrypt) other traffic you need to have a way to decide which type is being dealt with. That is the peek or stare actions - to get data out of the TLS handshake for you to use in ACL decisions. You might now want to re-read the SslPeekAndSplice documentation again to see if you understand it better. I skipped a lot of important details to make the description clear. > > Please let me know is that possible to configure squid 3.5.19 in such a way > so that it will bump only proxy websites not FB youtube etc. > Ah. So what are these "proxy websites" you speak of ? One thing you need to be clear about is that once the TCP packets enter Squid they *have* to be "proxied". There is no way to undo TCP accept() and read() operations. But there are many ways of handling them that Squid can do. PS. you could post your existing config so we can suggest alterations to it that will lead to it doing your new policy. That can be another way to learn how the relevant-to-you part of the features work without diving into the full complexity of what *might* be doable. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users