On 2/25/21 2:07 PM, Justin Michael Schwartzbeck wrote: > I have thus far used dstdomain acl for bypassing ssl bump on sites that > we don't want to decrypt, like banking sites. It seems to work for some > sites, but not for others.
Yes, many HTTPS transactions do not expose destination domain until it is too late to decide whether to bump them, and reverse DNS lookups are often unreliable. > I was thinking about this, and it seems to me that if we are using the > squid proxy with a dns server, we should be able to check the dns cache > for that IP, and find the associated hostname, and then match against that. When you use dstdomain, Squid will do a (reverse) DNS query for you as necessary (including DNS cache lookups) unless you specify a -n option that is documented to disable all such operations. In many cases, you should be using ssl::server_name instead of dstdomain or dst ACL, but you may have to use a combination of various ACLs to cover all the cases you care about. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
