The value of Squid whitelisting is to ensure clients cannot connect directly to IP addresses and avoid the Unbound whitelist. Maintaining a different whitelist for Squid and Unbound may seem excessive and cumbersome. Note that we need a special port for ssl intercept ( https_port) and the acl keywords are different ( ssl::server_name). Here are additional ssl specific lines to add to our nf file. Squid also has a mitm mode called bump but that’s outside the scope of this post. For all other hostnames we want to terminate the connection. After that, if the hostname matches our whitelist we want to do what Squid calls splice the connection, which is the blindly forward encrypted packets as if the proxy was not there. Squid calls this hostname identification step peek. Squid needs to start an SSL session with the server and parse the hostname from the returned certificate or parse the hostname from the SNI extension from the client. SSL is more tricky because the hostname the client is trying to connect to is not readily available like in plain http. Firejail -private -net=br-squid -dns=8.8.8.8 - \
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |