Search squid archive

Re: Peek'n Splice (ssl_bump) and authentication Somewhat OT: Content Filter with https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/06/2016 2:26 p.m., Sergio Belkin wrote:
> 2016-06-08 20:30 GMT-03:00 Marcus Kool <marcus.kool@xxxxxxxxxxxxxxx>:
> 
>>
>>
>> On 06/08/2016 07:53 PM, Sergio Belkin wrote:
>>
>>>
>>> Thanks Eliezer, good summary. I've changed the subject to reflect better
>>> the issue. As far I undestand from documention one can bump https only by
>>> interception.
>>>
>>
>> No.  ssl-bump works very well with regular proxy mode, i.e. the browsers
>> configure the address and port of the proxy or use PAC.
>>
>> But what about if one Windows user login against an Active Directory, will
>>> the authenticacion work to use the proxy?
>>>
>>> I mean, what I'd want is:
>>>
>>> - Only users of an Active Directory can use the proxy
>>>
>>
>> In regular proxy mode, authentication and peek+splice works fine.
>> Note that peek+splice does not require Squid CA certificates on the
>> clients.
>>
> 
> 
> 
> With peek+splce I block urls without CA certificates on the clients?
> Remember I mean urls, not only domains!

The *URL* is buried inside the encryption.

The server hostname (aka 'domain' to some) is available in the
plain-text metadata.

Peek+Splice only uses the metadata. No decryption.

So ... *URL* is never available when splice'ing traffic regardless of
what you do to the clients.


Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux