Re: [squid-users] squid transparent proxy - https ssl filtering url

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 24 Mar 2012 02:08:28 +1300

On 24/03/2012 1:44 a.m., Michał Wiącek wrote:
>> You seem to be speaking of a interception gateway filter.
>>
>> SSL was designed to prevent man-in-the-middle attacks (aka interception)
> >from being done.
>
> Mayby i sayd wrong - i do not want intercept , but only decise wchich host
> can connect
>
>> This is not possible. The URL is inside the encryption. You must decrypt
>> the traffic in order to even see the URL.
> I do not want filter all url , only host, if host is encrypte how routers
> know whith host connect?

Ah okay language problems.

The destination IP and port is known from TCP. And when the browser is
configured to use a proxy it sends the domain name as well. But nothing
else is eaisly available for HTTPS.

If I am understanding you right, what you actually want is a whitelist
or blacklist of destinations in the firewall. This would work better
than what Squid can offer with HTTPS.

In both cases you have the same problems of figuring out and listing
what destination IP/host are to be blocked or allowed. The firewall can
do it far faster and simpler though.

Amos
Received on Fri Mar 23 2012 - 13:08:38 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 23 2012 - 12:00:04 MDT