Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

Thu, 29 Oct 2009 14:57:39 -0700

I'm not sure about Linux, but with Windows the WPAD works fine, even if the computers are not member of an AD. The IE comes with the default "Automatic proxy configuration".
So, you don't need to configure it. The problem is that some programs try to find the wpad script in the wrong (?) place. The AV programs are good examples. To solve this problem, my wpad script is in the default site and I don't have to bother with configuring the AV on each computer. 

Rgds,
PS: When I say "wrong place", I mean a place different than Windows.




----- Original Message ----- 
From: "Matthew Young" <myoung24...@gmail.com>

To: <misc@openbsd.org>
Sent: Thursday, October 29, 2009 7:02 PM

Subject: Re: PF challenge dealing with HTTPS URL restriction policies.. 
would it help, other possible solution?




Marcello,

Thank you.. this is good except that I need to configure all my
browsers for downloading the pac file, and some Adware,/antivirus will
not auto discover this.. my users are linux as well as windows sadly.
So while this is a lot more practical then manually configuring
proxies in the machines it is not an option for for the requirement of
this project.

Thanks.

-Matt

On Thu, Oct 29, 2009 at 3:55 PM, Bob Beck <b...@ualberta.ca> wrote:

browsing ssl by IP addresses will also result in certificate conflicts
- because the ssl cert is for the name not the IP address.

So if they were willing to do that, they're willing to have your
stupid reverse proxy mitm all your certificates since they'll also
fail.

Perhaps between my extermely subtle taunting, I should give up and
just ask you *why* the hell do you want to do this?


2009/10/29 Matthew Young <myoung24...@gmail.com>:

THis is great, however out LAN users are all technical. they would
know and the next thing I have is people browsing the internet through
IPs.

It was good, but not applicable here.



On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe <chris.kue...@gmail.com> 
wrote:

So run your own dns and only resolve good domains. Then the proxy can 
only

find the things you want it to.

On Oct 29, 2009 1:03 PM, "Matthew Young" <myoung24...@gmail.com> wrote:

Hello,

If I use a reverse proxy I would have to know the SSL key of the
remote SSL site. (gmail.com) so that the reverse proxy server would
decrypt and encrypt. Iam not mistaken.

-- Matt


On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck <b...@ualberta.ca> wrote: > 
apache

or other reverse proxy...

























					Reply via email to