On 27/07/14 16:00, Dr.x wrote:
hi all , i have 2 questions. 1- why when i make a normal squid with normal http port , and i direct my browser to ip/port it can block https facebook
Because the browser is aware of the cache and issues CONNECT requests for SSL sites. Squid can see these and block them,
while if it was transparent proxy it cant block https facebook ??
You can't use CONNECT with a transparent proxy as it implies the client has been configured with a proxy (which would not be transparent).
im talking about im configuraing normal http proxy not https ! wish a clarification. 2-now if i use ssl pump and used transparent tproxy with https ... can i buy a trusted certificate and install it on squid and the users will not face "certificate not trusted" message ?
NO! This is about the 3rd or 4th time this question has appeared on this list. You can't use a cert from a commercial provider because you need the cert's private key to produce new certs signed by it (which the cert provider will not give you in a million years). If this worked it would make SSL useless.
i mean , in production network with much users , i need to block https youtube/facebook while keep using transparent tproxy.
You need to create your own CA, import the CA cert into your client browsers (which will get rid of the warning) and use the key to do dynamic cert generation in squid. Then it is possible to do either WPAD based browser config, or, I think (harder) do TPROXY with bumping.
NB unless you can import your own CA cert into all client browsers you *WILL* get certificate validation failures in the browser.
Cheers Alex
with to help regards ----- Dr.x -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/why-squid-can-block-https-when-i-point-my-browser-to-port-and-cant-when-its-transparent-tp4667069.html Sent from the Squid - Users mailing list archive at Nabble.com.
