Hello,
Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
