Re: filtering HTTPS

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Wed, 14 Mar 2012 12:27:36 -0300

>>>> On 03/14/2012 01:33 AM, Amos Jeffries wrote:
>>>>> It does. http://www.squid-cache.org/Doc/config/icap_206_enable/
>>> The 206 responses are similar to 204 responses (inside or outside
>>> preview) but also allow modifying the headers or the head of the data.
>> Data streams come in parts.
>> Maybe a filter wants to see the first data chunk of the client, followed
>> by the first data chunk from the server and followed by the second data
>> chunk
>> of the client to finally decide: block (close sockets) or say "I am not
>> interested anymore". So the filter receives all data chunks of the data
>> stream
>> until it signals the proxy about its decision. For all chunks, when there
>> is not yet a decision, the filter needs to respond with something like
>> "Continue".
>
> The ICAP protocol is not able to handle such cases. Just extending the
> ICAP protocol is not enough.
> Also my opinion is an HTTP proxy is not the correct tool to handle this
> type of filtering...
> Maybe can be implemented in squid but requires completely new
> interface/module to handle this. You can not just extend the ICAP/ECAP
> filtering subsystems....

Yes, I understood from Henrik's reply that his thought go to a
new type of data stream filter.

There is a no industry standard to filter data streams.
So there is an important decision to make: extend an existing standard
or make a new protocol that only works between Squid on one hand and
ufdbGuard, my new ICAP server and possibly a few other tools.
Received on Wed Mar 14 2012 - 15:27:41 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 14 2012 - 12:00:07 MDT