Re: [squid-users] ssl-bump mode

From: shawn wilson <ag4ve.us_at_gmail.com>
Date: Tue, 8 Oct 2013 16:32:53 -0400

If I understand correctly, you want to bump IPs from one domain, right?

In your iptables rule, before it is redirected to squid, either have a
jump with a list of IPs for that domain (or preferable an ipset list)
and update that list with an external script (cron job or whatever).
It's also possible to use a DNS server like powerdns that allows for
different backends and could do this for you basically live (the name
resolution is made before the request so if the rule is in place
before the request you're set).

Yeah, I'm speaking pretty abstract as this will be a bit of work but
quite doable.

On Tue, Oct 8, 2013 at 3:25 PM, Alex Rousskov
<rousskov_at_measurement-factory.com> wrote:
> On 10/08/2013 01:35 AM, Jury Bogdanov wrote:
>
>> To isolate the IP's I need to know all of them. But I don't know all
>> IP's. Some domains have a lot of IP's. Squid can't resolve the IP's?
>
>
> Squid can (and does) perform a reverse DNS lookup when the request uses
> an IP address and your ACL is using a domain name. Whether that reverse
> DNS lookup is successful at all, or whether its result (the domain name)
> matches your domain-based ACL value is outside of Squid control. The
> former depends primarily on the authoritative DNS zone setup. The latter
> depends on that zone and on your ACL.
>
> You can try performing reverse lookups yourself using the logged IP
> address and command tools like dig. Squid results may differ, but often
> do not, especially if both Squid and your command line tool are
> configured to use the same DNS resolver.
>
>
> Many popular sites use dozens of IP addresses, some of which cannot be
> resolved back to the site name. IP:domain may also depend on the
> physical location of the DNS client (i.e., Squid). I know some admins
> that write complicated distributed scripts that try to maintain a
> IP:domain map for some special cases of very popular sites and use that
> in their bumping rules...
>
>
> Good luck,
>
> Alex.
>
>
>
>> 2013/10/8 Amos Jeffries <squid3_at_treenet.co.nz>:
>>> On 8/10/2013 8:07 a.m., Jury Bogdanov wrote:
>>>>
>>>> Yeah, you was right. When I replaced
>>>> ssl_bump server-fist vk
>>>>
>>>> With
>>>> ssl_bump server-first all
>>>> it works. But I can't understand how to fix that. I don't want bump
>>>> all connections.
>>>
>>>
>>> That change was just a test to verify Alex theory was correct.
>>>
>>> For the final config you need to find some ACL condition or test that
>>> matches the traffic you want to match. You can do so with mutiple ssl_bump
>>> lines and/or ACLs if necessary.
>>>
>>> The specifics are up to you, but it sounds like to need to isolate the IP's
>>> for that domain and permit bumping for them as well as for its domain name.
>>>
>>> Amos
>
Received on Tue Oct 08 2013 - 20:33:22 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 09 2013 - 12:00:05 MDT