vects escreveu:
On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote:
Never used l7 for doing that kind of filtering, dont know if it's
possible.
Anyway, if you need some hard filtering based on URLs, both http and
https, i would recommend that you use an http/https proxy, just like
squid, for doing that.
Completly block https (TCP/443) traffic with iptables and get your
clients for use an http/https proxy and does the filtering there. I'm
pretty convinced it will be easier and you'll have a lot more
flexibility on the rules. Squid's ACLs are pretty flexible, you should
give it a try.
Does it work in transparent mode ( I mean for https)?
I just can't tell all clients to use squid by phone, https filtering
must be hidden for them. As I know the latest squid supports totally
transparent mode, is that working for https also?
httpS simply cant be treated in completly transparent modes, because
that would be detected as a 'man-in-the-middle' attack by the browser
and would break the end-to-end criptography that SSL/TLS uses.
http can be completly transparent, but https cannot.
Anyway, if you search the archives, you'll find that it's a common
opinion that iptables it not the right place, even with layer7 patches,
to do complex layer7 filtering. It can even do some application
filtering, but it's not supposed for replacing application proxy tools,
just like squid for http/https. Complex rules can be applied in an
easier and more flexible way in the application layer, with an
appropriate application proxy.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
