tor 2006-08-31 klockan 14:08 -0600 skrev Neale Pickett:
> I'm investigating using squid with ICAP to authenticate inbound HTTPS
> connections. Basically, we'd want to run squid as part of a
> man-in-the-middle attack against our own web servers.
Ok.
> To do this we need to run as a transparent proxy and be able to present a
> wildcard SSL certificate for our domain, negotiate SSL, then send the HTTP
> request header off to an ICAP server that checks for our magic cookie; if not
> present the client will be redirected to an authentication page, if present,
> traffic would be passed. We would also need to establish an SSL connection
> to the real server, posing as the client.
>
> Can squid do this?
The https part is plain https reverse proxying.
And ICAP is ICAP. If you have a Squid with ICAP support it will work on
reverse proxied https requests as well.
Cookie authentication is also possible. You need some program which can
verify your magic cookie, this then plugs into Squid as an external acl,
combined with deny_info..
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT