On 10/06/2016 2:26 p.m., Sergio Belkin wrote: > 2016-06-08 20:30 GMT-03:00 Marcus Kool <marcus.kool@xxxxxxxxxxxxxxx>: > >> >> >> On 06/08/2016 07:53 PM, Sergio Belkin wrote: >> >>> >>> Thanks Eliezer, good summary. I've changed the subject to reflect better >>> the issue. As far I undestand from documention one can bump https only by >>> interception. >>> >> >> No. ssl-bump works very well with regular proxy mode, i.e. the browsers >> configure the address and port of the proxy or use PAC. >> >> But what about if one Windows user login against an Active Directory, will >>> the authenticacion work to use the proxy? >>> >>> I mean, what I'd want is: >>> >>> - Only users of an Active Directory can use the proxy >>> >> >> In regular proxy mode, authentication and peek+splice works fine. >> Note that peek+splice does not require Squid CA certificates on the >> clients. >> > > > > With peek+splce I block urls without CA certificates on the clients? > Remember I mean urls, not only domains! The *URL* is buried inside the encryption. The server hostname (aka 'domain' to some) is available in the plain-text metadata. Peek+Splice only uses the metadata. No decryption. So ... *URL* is never available when splice'ing traffic regardless of what you do to the clients. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
