Quoting Merton Campbell Crockett <m.c.crockett@xxxxxxxxxxxx>: > > On 12 Apr 2006, at 06:49 , Dwayne Hottinger wrote: > > > Sirs, > > > > > > I would like to have all internet requests go through my proxy > > server. My > > firewall now redirects all port 80 requests to my proxy server, I > > would like to > > have port 443 requests go their also, because my filtering software > > resides on > > the proxy server, and to get around the filter, all one has to do > > is use https: > > and they are no longer subject to the rules. I read through the > > faq on https: > > and it doesnt look like this is what I want. I added a rule to my > > firewall to > > redirect port 443 traffic to my proxy server and it doesnt seem to > > work > > (timeouts), plus I have nothing in either cache.log or access.log > > to indicate > > that https: traffic is connecting. Do I have to do another build > > of squid and > > --enable-https: or is this only for reverse proxy for my internal > > servers? Or > > can I add an acl to address https traffic and if so, what? I am > > running Squid > > Cache: Version 2.5.STABLE6 > > configure options: --enable-storeio=diskd,ufs --enable- > > smartfilter. Redhat > > linux 8 kernel 2.4.19. > > > Dwayne: > > This is not going to work. The only time that anything will be > visible is during the initial establishment of the SSL connection > between the client (browser) and the server. After the SSL > connection is established, the HTTP request from the client and the > HTTP response from the server are encrypted. You won't be able to > apply your filtering rules. > > I am not part of the Squid development team and haven't used the > HTTPS features. This feature only makes sense when Squid is being > used as a front-end to a server where the SSL connection is being > established between the client and the Squid proxy server with > communications between the Squid proxy server and the HTTP server > being performed without encryption. > > I'm sure that the Squid development team will correct me if I am wrong. > > > Merton Campbell Crockett > m.c.crockett@xxxxxxxxxxxx > > > Thanks, That is what I was thinking. Does anyone know of another way to handle this? -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools
