Yeah, you was right. When I replaced
ssl_bump server-fist vk
With
ssl_bump server-first all
it works. But I can't understand how to fix that. I don't want bump
all connections.
Thx,
Jury
> 07.10.2013 20:35 пользователь "Alex Rousskov" <rousskov_at_measurement-factory.com> написал:
>
>> > On 10/07/2013 09:19 AM, Alex Rousskov wrote:> On 10/07/2013 03:29 AM, Jury Bogdanov wrote:
>> >>> Hello. I have some problems with ssl-bump mode. Can you help me, please?
>> >>> My configuration:
>> >>
>> >>> https_port 192.168.56.100:3130 transparent ssl-bump
>> >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> >>> cert=/home/mut/squid.pem key=/home/mut/squid.key
>> >>> acl vk dstdomain .vk.com
>> >>> ssl_bump server-first vk
>> >>> http_access deny vk all
>> >>
>> >>> But I can open https://vk.com
>>
>>
>> On 10/07/2013 10:57 AM, Jury Bogdanov wrote:
>> > In access.log I see CONNECT request to vk's ip
>>
>>
>> Your vk ACL is not using an IP address, it is using a domain name. The
>> client is using an IP address in their CONNECT request (this is common
>> for some clients). It is likely that the reverse DNS lookup of vk's IP
>> either fails or does not match vk.com. As a result, the vk ACL in your
>> "ssl_bump server-first" rule does not match and the connection is not
>> bumped.
>>
>> To check, you can replace
>>
>> ssl_bump server-first vk
>>
>> with
>>
>> ssl_bump server-first all
>>
>> and see if the CA certificate used to encrypt the response changes to
>> that of Squid.
>>
>>
>> BTW, for most purposes,
>>
>> http_access deny vk all
>>
>> is equivalent to
>>
>> http_access deny vk
>>
>> Please double check that that is what you expect/want.
>>
>>
>> HTH,
>>
>> Alex.
>> P.S. Please keep this thread on the mailing list.
>>
Received on Mon Oct 07 2013 - 19:07:23 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 08 2013 - 12:00:21 MDT