Re: [squid-users] Transparent SSL allowed list. If not possible with squid, would it be possible other ways?

From: Matus UHLAR - fantomas <uhlar_at_fantomas.sk>
Date: Mon, 9 Nov 2009 10:54:47 +0100

On 29.10.09 13:14, Matthew Young wrote:
> Ive been advised by Amos in past postings that having transparent SSL
> manipulation with SQUID is not possible, agreed. However I need to be
> able to _somehow_ have an allowed list of ssl sites specific to each
> LAN user (based on private IP or MAC) that he/she can access. Again
> this has to be with squid configured as transparent, and not with a
> pac file or settings in a browser.

of course that would still make people who turn proxy off disable that.

> If squid definately cannot help here, I thought of a way to then take
> my list of SSL enabled sites (gmail.com for example) and resolve the
> domain to an IP and then add it in a firewall so that X user has
> access to port 443 on that firewall. However the downside to this is
> that if gmail changes the IP (which they will) the firewall rule which
> is static would need an update.

Yes, this is the only solution and it's downside. The same would be if you'd put
those restrictions into squid. You just can not intercept and filter SSL
request (unless using sslBump but your users would see it)

> Other a lot more complicated way would be for a packet sniffer on the
> outgoing DNS connection soliciating the access to enabled ssl site
> and then immediately create a firewall rule for that.
>
> What is the best practice?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
Received on Mon Nov 09 2009 - 09:54:51 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 09 2009 - 12:00:03 MST