Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken.
-- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck <b...@ualberta.ca> wrote: > apache or other reverse proxy. > > > 2009/10/29 Matthew Young <myoung24...@gmail.com>: >> Hello, >> >> >> Iam looking for a way to have an allowed list of SSL enabled sites >> that a end user can browse, but this entirely done on a server level >> with _zero_ configuration on the pc. >> >> In a dream world, squid would be able to tranparently proxy https and >> thus I would create an allowed list of ssl sites specific to each LAN >> user (based on private IP or MAC) that he/she can access. As we know >> this isnt the case because this breaks SSL. >> >> Does anybody know a way I can actually accomplish this? >> >> My Thoughts: >> I thought of a way to then take my list of SSL enabled sites >> (gmail.com for example) and resolve the domain to an IP and then add >> it in a firewall so that X user has >> access to port 443 for only those specific IPs. However the downside >> to this is that if gmail (or any other site i do this) changes the IP >> (which they will) the firewall rule which is static would need an >> update. Besides gmails https hostname resolves to the same IP of >> google.com A records so I would be fiddling with those at the same >> time and thus basically be allowing or disallowing the entire google >> domain when I truely really wanted just an access list of gmail.com. >> >> Would there be a way to make then some type of sniffer which would >> capture when users try to enter a https site and then somehow create a >> dynamic rule of some kind to let traffic out based on an allowed list? >> >> There must be a practical way, right guys? >> >> Thanks >> >> --Matt
