Hi,
Thanks for the fast response.
On Fri, Mar 16, 2012 at 3:08 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 17/03/2012 2:27 a.m., guest01 wrote:
>
>> Can anybody offer a solution or how do you allow HTTPs in your guest
>> (W)LANs? Direct connection or using proxy-scripts (WPAD,...)?
>
>
> Add a name=X parameter to your http_port intercept port and use the
> myportname ACL type to limit the redirect only to happen on requests
> arriving via that port.
ok, in my setup I am using the same IP with different Ports:
http_port 10.122.125.2:3129 intercept name=transparentHTTPPort
https_port 10.122.125.2:3130 intercept cert=/etc/squid/squid.pem
name=transparentHTTPsPort
acl redirectbehavior myportname transparentHTTPPort
And how would I apply the myportname-acl? (Sounds like a noob
question, but I could not find helpful documentation)
>
> That will get the redirects going and then you face the actual blocker
> problem...
>
> ... when you do HTTPS intercept on a guest how do you intend to install
> your local CA on the guest browsers to prevent fake-certificate warnings on
> every page load they do?
> SSL interception in Squid only supports the environments where the browsers
> are configured to trust the local proxies CA. DMZ, Captive Portals, and
> residential ISP type networks cannot do it without opening themselves up to
> a range of legal issues.
>
We don't because we can't. It is only an internal guest lan mainly for
customers or private devices (like smartphones, tablets).
Unfortunately, there are some security regulations which prohibit
direct HTTPs connections, everything has to be proxified, even
non-HTTP-traffic like android market/google play (that's another
non-squid related issue)
thanks!
Received on Fri Mar 16 2012 - 14:51:37 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 23 2012 - 12:00:04 MDT