On 10/18/2013 02:20 PM, Derek Pinkston wrote: > Maybe someone can answer this for me so I can definitively determine > if Squid is still right for us. We have used squid and squidguard for > years to block sites for parts of our company and restrict total > access for other parts. However now that more and more sites are > using https by default, the users who should not be surfing the > internet are surfing through https... I thought that the newest > versions of squid would easily remedy this, but so far that does not > seem to be the case. By default, no Squid version tries to decrypt HTTPS connections. Recent Squid versions have SslBump feature that can be used to decrypt HTTPS connections. Without decryption, most URL filtering will work poorly and content filtering will not work at all. > Can squid+squid guard monitor and block https > traffic without having to install certs on individual > computers/browsers? In short, no. Technically, you can block HTTPS traffic from/to a list of IP addresses and sometimes host names, but such blocking will have to be done very early in the HTTPS transaction lifetime, when very little information is available. Intended URLs are not available, for example. I do not know whether Squid Guard even has access to the transaction at that early stage. > I want this to be as un-intrusive as our previous setup was. You can keep in unintrusive, but then you cannot police HTTPS. Pick your poison. BTW, this is not specific to Squid. Any proxy would offer you a similar trade-off (although some might do a better or worse job of HTTPS filtering based on IP addresses alone). HTH, Alex.
