Michael Renner wrote:
> On Sunday 26 September 2004 18:32, Henrik Nordstrom wrote:
>> Why do you want to transparently intercept https tunnels? What is wrong
>> with using NAT/Masquerade?
> We had a NAT/Masquerade network before, with open ports 80 and 443. The
> users are not allowed to do anything else than http and https. But they
> are clever enough to tunnel ssh (or much more: pppssh-tunnel) through the
> open ports.
> So we closed the ports and made this transparent proxy.
This won't help - users can tunnel through a transparent proxy in a similar
manner using HTTPS. Due to the design of SSL, the proxy cannot see the
traffic itself - it just opens a connection to the remove server and passes
traffic back and forth.
> An other reason are visitors: They should not have to reconfigure theire
> notebook while they are in our institute.
Why not? You can make it easy by taking a few steps:
1) Setup WPAD, which most browsers support. There's an FAQ on it:
http://www.squid-cache.org/Doc/FAQ/FAQ-5.html#ss5.10
2) Redirect port 80 and 443 to a web server that serves a single page
telling users how to configure their browser to use the proxy.
Adam
Received on Sun Sep 26 2004 - 13:30:55 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:03 MDT