Re: [squid-users] SSL sites bypass authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 20 Mar 2012 14:54:21 +1300

On 20.03.2012 08:46, Milen Pankov wrote:
> On 19.03.2012 19:09, Matus UHLAR - fantomas wrote:
>>
>> it's impossible for the proxy to pass error page to the browser,
>> when
>> the user bypasses the proxy and connects to the website directly.
>>
>> You must deny direct access to HTTPS (port 443) sites by a firewall
>> and
>> force browsers to use the proxy, if you want to control access on
>> the
>> proxy.
>>
>> However, as long as HTTPS is encrypted, the only way you can
>> allow/deny
>> users using some sites, is having list of sites (IP addresses) that
>> will
>> be allowed (and deny access to others) or denied (and allow access
>> to
>> others).
> Hi,
>
> Yes I understand that. However as the direct traffic to port 443
> happens
> on the client computer and not on the server I don't have access to
> every client computer to block access to port 443 by a firewall and I
> don't think that is necessary. The user may or may not use the proxy,
> it's up to the user. However if he has configured the browser to use
> a
> proxy and the browser does not use the proxy (although user refused
> to
> authenticate) that's the problem. As I however said I first thought
> it
> was a browser problem, but it appears not to be as I can reproduce it
> on
> different browsers. May be it is not only a squid problem, it may be
> both a browser and a squid problem, I don't know.
>
> Regards,
> Milen

So:
  - user configured browser to use a proxy
  - browser does not use proxy

How is disobeying its own configuration details *not* a browser
problem?

Answer: when the problem is the user themselves misunderstanding the
browser configuration.

For example; it is perfectly possible to configure all your browsers to
use a proxy *only* for HTTP traffic. Skipping the proxy or non-HTTP
protocols ... modern browsers that includes HTTPS, WebSockets and SPDY.

*How* is the browser configured?

Amos
Received on Tue Mar 20 2012 - 01:54:24 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 20 2012 - 12:00:04 MDT