On Sun, 2007-02-11 at 15:42 -0300, Leonardo Rodrigues Magalhães wrote: > > vects escreveu: > > On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote: > > > >> Never used l7 for doing that kind of filtering, dont know if it's > >> possible. > >> > >> Anyway, if you need some hard filtering based on URLs, both http and > >> https, i would recommend that you use an http/https proxy, just like > >> squid, for doing that. > >> > >> Completly block https (TCP/443) traffic with iptables and get your > >> clients for use an http/https proxy and does the filtering there. I'm > >> pretty convinced it will be easier and you'll have a lot more > >> flexibility on the rules. Squid's ACLs are pretty flexible, you should > >> give it a try. > >> > > Does it work in transparent mode ( I mean for https)? > > I just can't tell all clients to use squid by phone, https filtering > > must be hidden for them. As I know the latest squid supports totally > > transparent mode, is that working for https also? > > > > httpS simply cant be treated in completly transparent modes, because > that would be detected as a 'man-in-the-middle' attack by the browser > and would break the end-to-end criptography that SSL/TLS uses. agree. > > http can be completly transparent, but https cannot. I have to find some other solution for my task, sounds like iptables with l7 is the one for me. Does somebody know another list I can ask for help? > > Anyway, if you search the archives, you'll find that it's a common > opinion that iptables it not the right place, even with layer7 patches, > to do complex layer7 filtering. It can even do some application > filtering, but it's not supposed for replacing application proxy tools, > just like squid for http/https. Complex rules can be applied in an > easier and more flexible way in the application layer, with an > appropriate application proxy. As I said I have some condition, I can't contact customers and ask them to define proxy server, this prevents me to use application proxy for https. Thanks, Alexc
