may be able to do something with relayd, though i'm not sure. J
On Thu, Oct 29, 2009 at 12:57 PM, Matthew Young <myoung24...@gmail.com>wrote: > Hello, > > If I use a reverse proxy I would have to know the SSL key of the > remote SSL site. (gmail.com) so that the reverse proxy server would > decrypt and encrypt. Iam not mistaken. > > -- Matt > > On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck <b...@ualberta.ca> wrote: > > apache or other reverse proxy. > > > > > > 2009/10/29 Matthew Young <myoung24...@gmail.com>: > >> Hello, > >> > >> > >> Iam looking for a way to have an allowed list of SSL enabled sites > >> that a end user can browse, but this entirely done on a server level > >> with _zero_ configuration on the pc. > >> > >> In a dream world, squid would be able to tranparently proxy https and > >> thus I would create an allowed list of ssl sites specific to each LAN > >> user (based on private IP or MAC) that he/she can access. As we know > >> this isnt the case because this breaks SSL. > >> > >> Does anybody know a way I can actually accomplish this? > >> > >> My Thoughts: > >> I thought of a way to then take my list of SSL enabled sites > >> (gmail.com for example) and resolve the domain to an IP and then add > >> it in a firewall so that X user has > >> access to port 443 for only those specific IPs. However the downside > >> to this is that if gmail (or any other site i do this) changes the IP > >> (which they will) the firewall rule which is static would need an > >> update. Besides gmails https hostname resolves to the same IP of > >> google.com A records so I would be fiddling with those at the same > >> time and thus basically be allowing or disallowing the entire google > >> domain when I truely really wanted just an access list of gmail.com. > >> > >> Would there be a way to make then some type of sniffer which would > >> capture when users try to enter a https site and then somehow create a > >> dynamic rule of some kind to let traffic out based on an allowed list? > >> > >> There must be a practical way, right guys? > >> > >> Thanks > >> > >> --Matt