On 06/07/11 18:34, Deniz Eren wrote:
> Hi;
>
> Can you give me an idea from where to start in order to pass https
> traffic unprocessed through squid or implement SNI filtering for
> squid, that will be enough to start my project.
>
> Thanks in advance..
>
We have not yet gotten around to implementing a "ssl" flag on http_port
directives. You will need to start with that to allow detection of the
case where ssl traffic is intercepted on a port.
You will need to adjust TunnelStateData so that you can create it with
only a Comm::Connection object instead of a ClientHttpRequest or
HttpRequest object.
You will need to then figure out what changes to ConnStateData are
needed to detect the intercept+ssl flags case and do SNI instead of
parsing an HTTP request. Have it spawn a TunnelStateData object to do
the actual bit-relay work. Somehow making sure the whole SSL sequence
including SNI data arrive properly at the destination server without
getting lost or swallowed by Squids processing.
Good luck.
>
> On Mon, Jul 4, 2011 at 3:04 PM, Deniz Eren<deniz_at_denizeren.net> wrote:
>> Hi;
>>
>> I'm planning to work on an acl which uses SNI. But I need to pass
>> https traffic through squid without processing it. Because I'm not
>> interested in filtering or seeing the content, SNI server_name info
>> will be enough. But with squid it is not possible to pass https
>> traffic without processing it. In my design I won't use proxy, the
>> iptables rule below will redirect https traffic to squid:
>>
>> iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT
>> --to-destination 192.168.0.1:3128
>>
>> Can you give me ideas how to solve above problem? And also are you
>> working on SNI filtering?
>>
>> Good day to you..
>>
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.9Received on Wed Jul 06 2011 - 08:37:06 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 06 2011 - 12:00:03 MDT