Hi,
I have Squid + SquidGuard + SquidAnalyzer running on my LAN server as a
transparent cache + filtering proxy, and it's working real nicely.
When a client in my company wants to connect to the wifi, all he or she
has to do is this:
1. Connect to http://nestor.microlinux.lan
2. Download the ne
I guess better way to do this is create special ACL to catch exactly
certificate error and then redirect by 302 using deny_info to proxy page
with explanation and certificate.
Sadly, however I have no full solution for this logic (we're simple
install proxy certificate manually), but idea exists ;
Le 16/03/2018 à 13:43, Yuri a écrit :
> I guess better way to do this is create special ACL to catch exactly
> certificate error and then redirect by 302 using deny_info to proxy
> page with explanation and certificate.
This sounds like the way to go.
I just removed the root certificate from one
I think, you should dig in this direction:
# acl aclname ssl_error errorname
# # match against SSL certificate validation error [fast]
# #
# # For valid error names see in
/usr/local/squid/share/errors/templates/error-details.txt
# # template file.
# #
# # The foll
r Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il
-Original Message-
From: squid-users On Behalf Of
Nicolas Kovacs
Sent: Friday, March 16, 2018 12:37
To: squid-users@lists.squid-cache.org
Subject: [squid-users] How to configure a "proxy home&
u
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> -Original Message-
> From: squid-users On Behalf Of
> Nicolas Kovacs
> Sent: Friday, March 16, 2018 12:37
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users]
Le 25/03/2018 à 13:08, Yuri a écrit :
> The problem is not install proxy CA. The problem is identify client
> has no proxy CA and redirect, and do it only one time.
That is exactly the problem. And I have yet to find a solution for that.
Current method is instruct everyone - with a printed paper
25.03.2018 17:46, Nicolas Kovacs пишет:
> Le 25/03/2018 à 13:08, Yuri a écrit :
>> The problem is not install proxy CA. The problem is identify client
>> has no proxy CA and redirect, and do it only one time.
> That is exactly the problem. And I have yet to find a solution for that.
>
> Current m
Le 25/03/2018 à 13:08, Yuri a écrit :
The problem is not install proxy CA. The problem is identify client
has no proxy CA and redirect, and do it only one time.
On 25.03.18 13:46, Nicolas Kovacs wrote:
That is exactly the problem. And I have yet to find a solution for that.
Current method is
25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>> The problem is not install proxy CA. The problem is identify client
>>> has no proxy CA and redirect, and do it only one time.
>
> On 25.03.18 13:46, Nicolas Kovacs wrote:
>> That is exactly the problem.
Le 25/03/2018 à 13:08, Yuri a écrit :
The problem is not install proxy CA. The problem is identify client
has no proxy CA and redirect, and do it only one time.
On 25.03.18 13:46, Nicolas Kovacs wrote:
That is exactly the problem. And I have yet to find a solution for that.
Current method is
25.03.2018 20:32, Matus UHLAR - fantomas пишет:
Le 25/03/2018 à 13:08, Yuri a écrit :
> The problem is not install proxy CA. The problem is identify client
> has no proxy CA and redirect, and do it only one time.
>>>
>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
That is exactly t
In principle, I do not consider as secure the technology that allows
MiTM (even in theory) - anyway, for what purpose.
Since this is so - HTTPS is nothing more than a security theater with a
green lock for calming users.
This does not mean that I do not care about the security and privacy of
user
Therefore, please, PLEASE, never mention SSL Bump and security/privacy
in one letter.O:-)
These are mutually exclusive concepts.
Just like HTTPS and security.
25.03.2018 22:00, Yuri пишет:
>
> In principle, I do not consider as secure the technology that allows
> MiTM (even in theory) - anyway,
On 26/03/18 04:41, Yuri wrote:
>
>
> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
> Le 25/03/2018 à 13:08, Yuri a écrit :
>> The problem is not install proxy CA. The problem is identify client
>> has no proxy CA and redirect, and do it only one time.
On 25.03.18 13:46, Ni
26.03.2018 02:45, Amos Jeffries пишет:
> On 26/03/18 04:41, Yuri wrote:
>>
>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>> The problem is not install proxy CA. The problem is identify client
>>> has no proxy CA and redirect, and do it on
On 26/03/18 09:49, Yuri wrote:
>
>
> 26.03.2018 02:45, Amos Jeffries пишет:
>> On 26/03/18 04:41, Yuri wrote:
>>>
>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>> Le 25/03/2018 à 13:08, Yuri a écrit :
The problem is not install proxy CA. The problem is identify client
>>>
26.03.2018 03:02, Amos Jeffries пишет:
> On 26/03/18 09:49, Yuri wrote:
>>
>> 26.03.2018 02:45, Amos Jeffries пишет:
>>> On 26/03/18 04:41, Yuri wrote:
25.03.2018 20:32, Matus UHLAR - fantomas пишет:
Le 25/03/2018 à 13:08, Yuri a écrit :
> The problem is not install proxy CA
On 26/03/18 10:16, Yuri wrote:
>
>
> 26.03.2018 03:02, Amos Jeffries пишет:
>> On 26/03/18 09:49, Yuri wrote:
>>>
>>> 26.03.2018 02:45, Amos Jeffries пишет:
On 26/03/18 04:41, Yuri wrote:
> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
> Le 25/03/2018 à 13:08, Yuri a écrit :
>>
26.03.2018 03:55, Amos Jeffries пишет:
> On 26/03/18 10:16, Yuri wrote:
>>
>> 26.03.2018 03:02, Amos Jeffries пишет:
>>> On 26/03/18 09:49, Yuri wrote:
26.03.2018 02:45, Amos Jeffries пишет:
> On 26/03/18 04:41, Yuri wrote:
>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>
And yes, HTTPS is insecure by design and all our actions does not it
less insecure :-D
26.03.2018 04:03, Yuri пишет:
>
> 26.03.2018 03:55, Amos Jeffries пишет:
>> On 26/03/18 10:16, Yuri wrote:
>>> 26.03.2018 03:02, Amos Jeffries пишет:
On 26/03/18 09:49, Yuri wrote:
> 26.03.2018 02:45,
By the way, Amos. I have an idea spinning around. Is it possible to
specify the SSL error of the unknown certificate issuer for the correct
processing of the situation when the client does not have a proxy
certificate installed? This would greatly facilitate the task that we
are discussing.
We're
I mean, for example:
SSL_ERROR_CLIENT_DOES_NOT_KNOW_THIS_CA
during TLS negotiation between client and proxy.
To be separated from rare cases when real world CA exists, but not yet
included to well-known CA's bundle.
Something like this. Now we're can't differentiate UNKNOWN_ISSUES error
- it is
On 26/03/18 11:05, Yuri wrote:
> And yes, HTTPS is insecure by design and all our actions does not it
> less insecure :-D
We are not talking about HTTPS. Only about TLS. Because the TLS decrypt
is what is "failing" at the time any of these details we are discussing
are relevant.
The "page" mentio
26.03.2018 05:05, Amos Jeffries пишет:
> On 26/03/18 11:05, Yuri wrote:
>> And yes, HTTPS is insecure by design and all our actions does not it
>> less insecure :-D
> We are not talking about HTTPS. Only about TLS. Because the TLS decrypt
> is what is "failing" at the time any of these details we
On 26/03/18 11:11, Yuri wrote:
> By the way, Amos. I have an idea spinning around. Is it possible to
> specify the SSL error of the unknown certificate issuer for the correct
> processing of the situation when the client does not have a proxy
> certificate installed? This would greatly facilitate t
On 26/03/18 11:15, Yuri wrote:
> I mean, for example:
>
> SSL_ERROR_CLIENT_DOES_NOT_KNOW_THIS_CA
>
Consider carefully what the words "CLIENT_DOES_NOT_KNOW_THIS_CA" mean in
normal English.
Amos
___
squid-users mailing list
squid-users@lists.squid-cach
Waa. You're right. I hurried.
Hmm.
Seems we're can't distinguish unknown server CA and unknown proxy CA.
Sadly.
26.03.2018 05:14, Amos Jeffries пишет:
> On 26/03/18 11:15, Yuri wrote:
>> I mean, for example:
>>
>> SSL_ERROR_CLIENT_DOES_NOT_KNOW_THIS_CA
>>
> Consider carefully what t
On 26/03/18 12:07, Yuri wrote:
>
> 26.03.2018 05:05, Amos Jeffries пишет:
>> On 26/03/18 11:05, Yuri wrote:
>>> And yes, HTTPS is insecure by design and all our actions does not it
>>> less insecure :-D
>> We are not talking about HTTPS. Only about TLS. Because the TLS decrypt
>> is what is "faili
26.03.2018 05:23, Amos Jeffries пишет:
> On 26/03/18 12:07, Yuri wrote:
>> 26.03.2018 05:05, Amos Jeffries пишет:
>>> On 26/03/18 11:05, Yuri wrote:
And yes, HTTPS is insecure by design and all our actions does not it
less insecure :-D
>>> We are not talking about HTTPS. Only about TLS.
On 26/03/18 12:34, Yuri wrote:
>
> 26.03.2018 05:23, Amos Jeffries пишет:
>> On 26/03/18 12:07, Yuri wrote:
>>> 26.03.2018 05:05, Amos Jeffries пишет:
On 26/03/18 11:05, Yuri wrote:
> And yes, HTTPS is insecure by design and all our actions does not it
> less insecure :-D
We are
26.03.2018 06:30, Amos Jeffries пишет:
> On 26/03/18 12:34, Yuri wrote:
>> 26.03.2018 05:23, Amos Jeffries пишет:
>>> On 26/03/18 12:07, Yuri wrote:
26.03.2018 05:05, Amos Jeffries пишет:
> On 26/03/18 11:05, Yuri wrote:
>> And yes, HTTPS is insecure by design and all our actions doe
26.03.2018 06:41, Yuri пишет:
>
> 26.03.2018 06:30, Amos Jeffries пишет:
>> On 26/03/18 12:34, Yuri wrote:
>>> 26.03.2018 05:23, Amos Jeffries пишет:
On 26/03/18 12:07, Yuri wrote:
> 26.03.2018 05:05, Amos Jeffries пишет:
>> On 26/03/18 11:05, Yuri wrote:
>>> And yes, HTTPS is in
On 26/03/18 13:44, Yuri wrote:
>
>
> 26.03.2018 06:41, Yuri пишет:
>>
>> 26.03.2018 06:30, Amos Jeffries пишет:
>>> On 26/03/18 12:34, Yuri wrote:
26.03.2018 05:23, Amos Jeffries пишет:
> On 26/03/18 12:07, Yuri wrote:
>> 26.03.2018 05:05, Amos Jeffries пишет:
>>> On 26/03/18 11:
26.03.2018 07:08, Amos Jeffries пишет:
> On 26/03/18 13:44, Yuri wrote:
>>
>> 26.03.2018 06:41, Yuri пишет:
>>> 26.03.2018 06:30, Amos Jeffries пишет:
On 26/03/18 12:34, Yuri wrote:
> 26.03.2018 05:23, Amos Jeffries пишет:
>> On 26/03/18 12:07, Yuri wrote:
>>> 26.03.2018 05:05, A
ontag, 26. März 2018 03:13
An: squid-users@lists.squid-cache.org
Betreff: Re: [squid-users] How to configure a "proxy home" page ?
26.03.2018 07:08, Amos Jeffries пишет:
On 26/03/18 13:44, Yuri wrote:
26.03.2018 06:41, Yuri пишет:
26.03.2018 06:30, Amos Jeffries пишет:
On 26/03/18 12
Le 25/03/2018 à 13:08, Yuri a écrit :
The problem is not install proxy CA. The problem is identify client
has no proxy CA and redirect, and do it only one time.
On 25.03.18 13:46, Nicolas Kovacs wrote:
That is exactly the problem. And I have yet to find a solution for
that.
Current method is
26.03.2018 15:33, Matus UHLAR - fantomas пишет:
>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>> The problem is not install proxy CA. The problem is identify client
>>> has no proxy CA and redirect, and do it only one time.
>
> On 25.03.18 13:46, Nicolas Kovacs wrote:
>> That
e
> elliptic-curve host key on each host for a time
> [2] e.g. https://github.com/mitmproxy/mitmproxy
>
>
>
> Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im
> Auftrag von Yuri
> Gesendet: Montag, 26. März 2018 03:13
> An: squid-users@lists.squid-ca
8704261
Email: elie...@ngtech.co.il
-Original Message-
From: squid-users On Behalf Of
Nicolas Kovacs
Sent: Sunday, March 25, 2018 14:46
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] How to configure a "proxy home" page ?
Le 25/03/2018 à 13:08, Yuri a écrit :
> The
On 26.03.18 19:16, Yuri wrote:
Disagree.
My point about TLS is quite different.
SSH, by design, assumes end-to-end encryption and do not assumes any
third-party treats as trusty, like TLS does.
actually, the ssh DOES support certificate authorities that sign client or
host keys, so you don't
---
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> -Original Message-----
> From: squid-users On Behalf Of
> Nicolas Kovacs
> Sent: Sunday, March 25, 2018 14:46
> To: squid-users@lists.squid-cac
On 25.03.18 23:47, Eliezer Croitoru wrote:
I do not know your level of JS or other thing but... a splash page is mearly a
transition step.
Since you can check using JS if the certificate is installed
And how do you push the JS into the client?
when client tries to fetch https://www.google.com
26.03.2018 21:36, Matus UHLAR - fantomas пишет:
> On 26.03.18 19:16, Yuri wrote:
>> Disagree.
>>
>> My point about TLS is quite different.
>>
>> SSH, by design, assumes end-to-end encryption and do not assumes any
>> third-party treats as trusty, like TLS does.
>
> actually, the ssh DOES support
Waaa, Matus,
the idea is trivial.
Catch SSL UNKNOWN ISSUER error on squid's acl and redirect by 302 to
proxy page with instructions. Which requires user's involving.
How much can repeat the obvious
26.03.2018 21:41, Matus UHLAR - fantomas пишет:
> On 25.03.18 23:47, Eliezer Croitoru w
Since the client should be involved, our business is to redirect him to
the instructions page where he will make a decision - whether to put a
proxy certificate or not. And on this page, in turn, is a script that
makes this task easier. But does not install the certificate
automatically - in this w
tfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il
From: squid-users On Behalf Of Yuri
Sent: Monday, March 26, 2018 18:47
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] How to configure a "proxy home" page ?
Waaa, Matus,
the i
Hi, i want configure two squid... Squid son transparent and squid father the
autentication.. How can i do that
Ing. Carlos___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
On 26.03.18 21:47, Yuri wrote:
Waaa, Matus,
the idea is trivial.
Catch SSL UNKNOWN ISSUER error on squid's acl and redirect by 302 to
proxy page with instructions. Which requires user's involving.
How much can repeat the obvious
you can't catch the "SSL UNKNOWN ISSUER" on squid, sin
On 26.03.18 19:16, Yuri wrote:
SSH immediately notice you
when server key surprisingly changed.
26.03.2018 21:36, Matus UHLAR - fantomas пишет:
only when you already have the host key installed in your client. If
there's
MITM attack before you get the key, you will not notice that, unless you
50 matches
Mail list logo