Re: [squid-users] HTTPS Proxy Question
See: http://wiki.squid-cache.org/Features/SslBump On Thu, Mar 18, 2010 at 11:54 AM, Sheahan, John wrote: > If Squid is configured to use the "squid wildcard certificate", does this > mean that all of the HTTPS clients have to manually accept this certificate > in order to proxy HTTPS through squid? Same issues as with Blue Coat and "SSL Intercept". Some tunneled protocols and a few websites will fail when intercepted, so you must have provisions to make exceptions (e.g. "ssl_bump deny broken_sites") Generally you would have the clients pre-loaded with your private CA certificate, for MSIE you can do this by GPO, for some other browsers/OS you do have to manually load the CA certificate, once. Kevin
RE: [squid-users] HTTPS Proxy Question
If Squid is configured to use the "squid wildcard certificate", does this mean that all of the HTTPS clients have to manually accept this certificate in order to proxy HTTPS through squid? thanks -Original Message- From: Denys Fedorysychenko [mailto:nuclear...@nuclearcat.com] Sent: Thursday, March 18, 2010 11:44 AM To: squid-users@squid-cache.org Cc: Sheahan, John Subject: Re: [squid-users] HTTPS Proxy Question On Thursday 18 March 2010 17:36:09 Sheahan, John wrote: > Does Squid actually proxy HTTPS connections or does it just tunnel it? > > The reason I ask is that if you install a Blue Coat proxy, it requires a > certificate to be installed from the Blue Coat box on all HTTPS clients > because they say it is "true" HTTPS proxy and does man in the middle and > Squid does not? > Squid have same mode and same man in the middle mode. keywords "squid wildcard certificate" Probably good to tell them, that they are quite unprofessional, because or they lie, or they just don't know what opensource can offer. Btw this "true" mode is huge security threat in some cases.
Re: [squid-users] HTTPS Proxy Question
On Thursday 18 March 2010 17:36:09 Sheahan, John wrote: > Does Squid actually proxy HTTPS connections or does it just tunnel it? > > The reason I ask is that if you install a Blue Coat proxy, it requires a > certificate to be installed from the Blue Coat box on all HTTPS clients > because they say it is "true" HTTPS proxy and does man in the middle and > Squid does not? > Squid have same mode and same man in the middle mode. keywords "squid wildcard certificate" Probably good to tell them, that they are quite unprofessional, because or they lie, or they just don't know what opensource can offer. Btw this "true" mode is huge security threat in some cases.
Re: [squid-users] HTTPS proxy
On Tue, 2008-02-19 at 15:38 -0300, Marcus Kool wrote: > > Matus UHLAR - fantomas wrote: > > On 17.02.08 18:10, Sam Przyswa wrote: > >> We use Squid and SquidGuard to control webmails access, that work fine, > >> but for those who use HTTPS protocole Squid/SquidGuard doesn't operate. > >> Is it a way to control HTTPS as well HTTP trafic ? > > > > no. the HTTPS traffic consists of CONNECT requests where the procy has no > > idea what URLs are being retrieved and what requests (GET/POST/...) pass > > through it - that is the 's'="secure" in the https. > > False. If https traffic goes via Squid, the URL can go to a redirector and > filter based on either > a) domain name > b) connect to the site and verify valid certificate > > ufdbGuard does this and successfully blocks SSH tunnels over HTTPS. There is also the SSL Bump feature in Squid3 that allows to decrypt HTTPS on-the-fly for detailed inspection, usually with user consent: http://wiki.squid-cache.org/Features/SslBump HTH, Alex.
Re: [squid-users] HTTPS proxy
> >On 17.02.08 18:10, Sam Przyswa wrote: > >>We use Squid and SquidGuard to control webmails access, that work fine, > >>but for those who use HTTPS protocole Squid/SquidGuard doesn't operate. > >>Is it a way to control HTTPS as well HTTP trafic ? > Matus UHLAR - fantomas wrote: > >no. the HTTPS traffic consists of CONNECT requests where the procy has no > >idea what URLs are being retrieved and what requests (GET/POST/...) pass > >through it - that is the 's'="secure" in the https. On 19.02.08 15:38, Marcus Kool wrote: > False. If https traffic goes via Squid, the URL can go to a redirector and > filter based on either > a) domain name > b) connect to the site and verify valid certificate That means that HTTPS traffic can be controlled in very limited way. So my answer "no" on question "Is it a way to control HTTPS as well HTTP trafic ?" is imho correct :-) However, specifying more informations can of course help... > ufdbGuard does this and successfully blocks SSH tunnels over HTTPS. > Everybody should use ufdbGuard and have one security threat less. It is > free! -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: [squid-users] HTTPS proxy
Matus UHLAR - fantomas wrote: On 17.02.08 18:10, Sam Przyswa wrote: We use Squid and SquidGuard to control webmails access, that work fine, but for those who use HTTPS protocole Squid/SquidGuard doesn't operate. Is it a way to control HTTPS as well HTTP trafic ? no. the HTTPS traffic consists of CONNECT requests where the procy has no idea what URLs are being retrieved and what requests (GET/POST/...) pass through it - that is the 's'="secure" in the https. False. If https traffic goes via Squid, the URL can go to a redirector and filter based on either a) domain name b) connect to the site and verify valid certificate ufdbGuard does this and successfully blocks SSH tunnels over HTTPS. Everybody should use ufdbGuard and have one security threat less. It is free! Marcus
Re: [squid-users] HTTPS proxy
On 17.02.08 18:10, Sam Przyswa wrote: > We use Squid and SquidGuard to control webmails access, that work fine, > but for those who use HTTPS protocole Squid/SquidGuard doesn't operate. > Is it a way to control HTTPS as well HTTP trafic ? no. the HTTPS traffic consists of CONNECT requests where the procy has no idea what URLs are being retrieved and what requests (GET/POST/...) pass through it - that is the 's'="secure" in the https. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
RE: [squid-users] HTTPS proxy
Drop squidguard and use ufdbguard. It's the best. Thomas J. Raef > -Original Message- > From: Sam Przyswa [mailto:[EMAIL PROTECTED] > Sent: Sunday, February 17, 2008 11:11 AM > To: Squid Users List > Subject: [squid-users] HTTPS proxy > > Hi, > > We use Squid and SquidGuard to control webmails access, that work fine, > but for those who use HTTPS protocole Squid/SquidGuard doesn't operate. > Is it a way to control HTTPS as well HTTP trafic ? > > Thanks in advance for your reply. > > Sam. > > > > > -- > Ce message a été vérifié par MailScanner > pour des virus ou des polluriels et rien de > suspect n'a été trouvé. > > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.516 / Virus Database: 269.20.7/1284 - Release Date: > 2/17/2008 2:39 PM > No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.7/1284 - Release Date: 2/17/2008 2:39 PM
