I worked it out, my "no Https interception" was working on websites if I put the URL in that txt file
nointercept.txt But I needed to make a proxy.ini file as well on the host in question, for it to point to the proxy Once it pointed to the proxy I could then monitor the traffic and see what URL I needed to whitelist and to put in the no SSL interception Once I did that all good Thanks guys, much appreciated On Wed, 18 May 2022, 20:21 Eliezer Croitoru, <ngtech1...@gmail.com> wrote: > Hey Alex, > > I have started working on some external_acl helper that will probe the > server certificate like what ufdbguard does but will be written > probably in another language then C++ ... ie scripting or GoLang or Rust. > The idea is that there will be some cache or DB that will store information > about an IP+port paired with SNI. > A storage engine like a cache would help to "know" enough about the server > to ultimately decide if there is a risk in splicing this specific > connection. > It's also possible that the first time that the request will pass via thru > the proxy it will be bumped to probe the connection for more information > when possible. > > In general for commercial products there is either a CDN service or a > dedicated service. > These usually are not the risk for the proxy users and can be spliced. > The main issue is if one service on a specific IP serves more then one > domain that contains different content. > The best example is google CDN network that might serve on the same IP and > certificate and SNI(because of HTTP/2.0) different domains. > > Eliezer > > ---- > Eliezer Croitoru > NgTech, Tech Support > Mobile: +972-5-28704261 > Email: ngtech1...@gmail.com > > -----Original Message----- > From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of > Alex Rousskov > Sent: Wednesday, May 18, 2022 21:39 > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] disable https inspection for licensing some apps > > On 5/18/22 12:28, robert k Wild wrote: > > > acl DiscoverSNIHost at_step SslBump1 > > acl NoSSLIntercept ssl::server_name > "/usr/local/squid/etc/nointercept.txt" > > ssl_bump peek DiscoverSNIHost > > ssl_bump splice NoSSLIntercept > > ssl_bump bump all > > OK, the above configuration makes the splice/bump decision based on > plain text information provided by the TLS client. > > > > and in the nointercept.txt > > i have the url in there > > ssl::server_name needs a host/domain name, not a regular URL. No URLs > are exchanged in plain text between TLS client and the origin server. > > Please note that, even after adjusting nointercept.txt to contain domain > name(s), the above configuration may not always work in modern Squids: > It will work when the client sends a matching domain name > > * in the CONNECT request headers (and sends no TLS SNI at all) > * in the CONNECT request headers and in TLS SNI > * in TLS SNI (the CONNECT request headers should not matter). > > It will also work when a CONNECT request is using an IP address that > reverse-resolves to a matching domain name (which is not overwritten by > a mismatching SNI). > > In all other cases, Squid will bump traffic even if it is ultimately > going to the server named in nointercept.txt. > > There is no configuration that will address all possible cases in > general. TLS makes that impossible (at least not without probing TLS > origin servers which is something Squid does not do yet). > > > HTH, > > Alex. > > > >, also i have it in the url white list so it can actually see the url > > > > is there something else i need to add for this to work > > > > or maybe some websites ie license website just dont like it going through > a proxy > > > > > > On Wed, 18 May 2022 at 16:57, robert k Wild <robertkw...@gmail.com > > <mailto:robertkw...@gmail.com>> wrote: > > > > hi all, > > > > i have squid proxy configured as ssl bump and i white list some > > websites only > > > > but for some websites i dont want to inspect https traffic as it > > breaks the cert when i want to license some apps via the url > > (whitelist url) > > > > how can i disable https inspection for some websites please > > > > many thanks, > > rob > > > > -- > > Regards, > > > > Robert K Wild. > > > > > > > > -- > > Regards, > > > > Robert K Wild. > > > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users