Yep. That's why https encrypts the url transmission. The point is you aren't *supposed* to be able to do that securely. Your reverse proxy which does this will look like the standard hotel room sillyness.
2009/10/29 Matthew Young <myoung24...@gmail.com>: > Hello, > > If I use a reverse proxy I would have to know the SSL key of the > remote SSL site. (gmail.com) so that the reverse proxy server would > decrypt and encrypt. Iam not mistaken. > > -- Matt > > On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck <b...@ualberta.ca> wrote: >> apache or other reverse proxy. >> >> >> 2009/10/29 Matthew Young <myoung24...@gmail.com>: >>> Hello, >>> >>> >>> Iam looking for a way to have an allowed list of SSL enabled sites >>> that a end user can browse, but this entirely done on a server level >>> with _zero_ configuration on the pc. >>> >>> In a dream world, squid would be able to tranparently proxy https and >>> thus I would create an allowed list of ssl sites specific to each LAN >>> user (based on private IP or MAC) that he/she can access. As we know >>> this isnt the case because this breaks SSL. >>> >>> Does anybody know a way I can actually accomplish this? >>> >>> My Thoughts: >>> I thought of a way to then take my list of SSL enabled sites >>> (gmail.com for example) and resolve the domain to an IP and then add >>> it in a firewall so that X user has >>> access to port 443 for only those specific IPs. However the downside >>> to this is that if gmail (or any other site i do this) changes the IP >>> (which they will) the firewall rule which is static would need an >>> update. Besides gmails https hostname resolves to the same IP of >>> google.com A records so I would be fiddling with those at the same >>> time and thus basically be allowing or disallowing the entire google >>> domain when I truely really wanted just an access list of gmail.com. >>> >>> Would there be a way to make then some type of sniffer which would >>> capture when users try to enter a https site and then somehow create a >>> dynamic rule of some kind to let traffic out based on an allowed list? >>> >>> There must be a practical way, right guys? >>> >>> Thanks >>> >>> --Matt
