Re: How to configure a "proxy home" page ?

Yuri <yvoinov@xxxxxxxxx> · Sun, 25 Mar 2018 21:41:54 +0600



    25.03.2018 20:32, Matus UHLAR -
      fantomas пишет:

    
          Le 25/03/2018 à 13:08, Yuri a écrit :
            

            The problem is not install proxy CA.
              The problem is identify client
              

              has no proxy CA and redirect, and do it only one time.
              

          On 25.03.18 13:46, Nicolas Kovacs wrote:
          

          That is exactly the problem. And I
            have yet to find a solution for that.
            

            Current method is instruct everyone - with a printed paper
            in the office
            

            - to connect to proxy.company-name.lan and then get further
            instructions
            

            from the page. This works, but an automatic splash page
            would be more
            

            elegant.
            

      25.03.2018 18:42, Matus UHLAR - fantomas
        пишет:
        

        impossible and unsafe. The CA must be
          installed before such splash
          

          page shows
          

      On 25.03.18 18:44, Yuri wrote:
      

      Possible. "Safe/Unsafe" should not be
        discussion when SSL Bump
        

        implemented already.
        

      it's possible to install splash page, but not install trusted
      authority
      

      certificate.  Using such authority on a proxy is the MITM attack
      and whole
      

      SSL has been designed to prevent this.
      

    Heh. If SSL designed - why SSL Bump itself possible? ;):-P

    
      without certificate, the browser complains which is a security
      measure
      

      against this.
      

    Sure. It should.

    
        up and in such case the splash page is
          irelevant.
          

          If you have windows domain, you can force security policy
          through it.
          

      In enterprise environment with AD, yes.
        But hardly in service provider's
        

        scenarious.
        

      service providers should not do this without users' permission.
      

      at least not in countries where the privacy is guaranteed by law.
      

    Thank you, Captain Obvious. :-)
    Enterprises also should get user agreement before do that.
    Especially in BYOD scenarious.

    
    All these things are
        well known here. The question was about
        technical implementation, and not about the well-known truisms
        in the field of security and privacy (in most cases of
        ephemeral).

    
    -- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************
  

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users