On Tue, 2007-06-19 at 16:13 -0500, K K wrote: > ICAP doesn't support MITM "CONNECT" tunnel handling, though some ICAP > clients will forward the connect "URL" to an ICAP service to be > approved or denied, the ICAP standard doesn't allow for looking inside > the SSL/TLS conversation. I do not think ICAP, as a protocol, prohibits CONNECT or any other HTTP request method handling. An ICAP server can be written to inspect, block, and even adapt CONNECT headers and data streams. Whether a given proxy and a given ICAP server implementation can do something intelligent about CONNECT tunnels is a separate question. If there is enough demand, I am sure Squid will support ICAP-based inspection and selective blocking of CONNECT traffic. Alex.
