On Wed, Dec 3, 2008 at 5:12 PM, Ermal Luçi <[EMAIL PROTECTED]> wrote: > On Wed, Dec 3, 2008 at 5:40 PM, Bill Marquette <[EMAIL PROTECTED]> wrote: >> On Wed, Dec 3, 2008 at 10:12 AM, Gary Buckmaster >> <[EMAIL PROTECTED]> wrote: >>> It can be done, although not if the proxy machine is inside your LAN. It >>> would need to live on a separate network segment (ie: DMZ). In this case, >>> yes, its possible to redirect outbound traffic for TCP 80 to the proxy >>> machine, do your content filtering and pass it on. You cannot transparently >>> proxy SSL traffic in this manner however due to the fact that the streams >>> are encrypted. >> >> Well, there are ways to do it, all of them evil :) Consider it a >> trusted MITM attack. Wheeee...outside of commercial proxies however, >> I know of no open source way to automate this (without lots of work on >> the administrator end to set it up). >> > > Actually relayd can do this!
I assume you are talking about the transparent mode of relayd which isn't in the FreeBSD port (and I believe requires kernel work to be usable?). While it can terminate an HTTPS connection and send it to a proxy, the proxy will have no idea that the destination should be HTTPS (let alone on port 443). You'd be better off using something like HAProxy if you went that route. My point was solely that "it can't be done" isn't technically correct - only in the context of the current state of technology in open source and pfSense in general (it wouldn't take much for someone motivated to actually implement this correctly though - decrypt SSL, figure out destination, turn it into a CONNECT call through a proxy and reencrypt - or proxy it yourself). --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
