Not unless you know the ip addreses of everything you're hitting. No amount of magic will make relayd intercept an https session and get the url out without sending a bogus certificate to the user. If you have a limited set of places to go, sure, it'll work, but so will just a plain old pf rule restrincting outbound 443 connections to the same set of addresses. Trying to do this for akamai type moving targets willl be an exercise in frustration though.
You could always just ensure all your users are using internet explorer or firefox with all the whining turned off, and intercept the ssl cookies anyway. Most of the users probably won't notice or will click ok and simply blather along after clicking ok enough times to make it accept the forgery. 2009/10/29 James Records <james.reco...@gmail.com>: > may be able to do something with relayd, though i'm not sure. > > J > > On Thu, Oct 29, 2009 at 12:57 PM, Matthew Young <myoung24...@gmail.com> > wrote: >> >> Hello, >> >> If I use a reverse proxy I would have to know the SSL key of the >> remote SSL site. (gmail.com) so that the reverse proxy server would >> decrypt and encrypt. Iam not mistaken. >> >> -- Matt >> >> On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck <b...@ualberta.ca> wrote: >> > apache or other reverse proxy. >> > >> > >> > 2009/10/29 Matthew Young <myoung24...@gmail.com>: >> >> Hello, >> >> >> >> >> >> Iam looking for a way to have an allowed list of SSL enabled sites >> >> that a end user can browse, but this entirely done on a server level >> >> with _zero_ configuration on the pc. >> >> >> >> In a dream world, squid would be able to tranparently proxy https and >> >> thus I would create an allowed list of ssl sites specific to each LAN >> >> user (based on private IP or MAC) that he/she can access. As we know >> >> this isnt the case because this breaks SSL. >> >> >> >> Does anybody know a way I can actually accomplish this? >> >> >> >> My Thoughts: >> >> I thought of a way to then take my list of SSL enabled sites >> >> (gmail.com for example) and resolve the domain to an IP and then add >> >> it in a firewall so that X user has >> >> access to port 443 for only those specific IPs. However the downside >> >> to this is that if gmail (or any other site i do this) changes the IP >> >> (which they will) the firewall rule which is static would need an >> >> update. Besides gmails https hostname resolves to the same IP of >> >> google.com A records so I would be fiddling with those at the same >> >> time and thus basically be allowing or disallowing the entire google >> >> domain when I truely really wanted just an access list of gmail.com. >> >> >> >> Would there be a way to make then some type of sniffer which would >> >> capture when users try to enter a https site and then somehow create a >> >> dynamic rule of some kind to let traffic out based on an allowed list? >> >> >> >> There must be a practical way, right guys? >> >> >> >> Thanks >> >> >> >> --Matt
