[squid-users] SUMMARY: proxy.pac vs manual proxy + LiveLink

From: Deb <deb@dont-contact.us>
Date: Thu, 15 Aug 2002 10:48:56 -0700

My apologies for letting this discussion drop for so long. I had
a large disk volume with problems, and other demands upon my time,
so it's been difficult getting back to you...

Joe Cooper <joe@swelltech.com> had this to say,
> Your virus filter isn't doing anything with SSL connections anyway. It
> is encrypted data--virus signatures cannot be compare against encrypted
> data.

Right. But - see my next comment.

> You can configure your proxy.pac file to only go direct for that one
> site, while leaving everything else proxied as usual, or you can bypass
> the proxy for all SSL traffic. There is little benefit in proxying SSL
> traffic,

Right - we're not proxying SSL traffic, but we are attempting to
log the access of clients to secure targets. This has been an
important aspect/side-effect of proxying.

> unless you like having an application level proxy between
> clients and the big bads that live on the internet.

We may go that route in the future, but it hasn't yet been mandated.

> Choosing to bypass
> the proxy for just one site allows you to open a small hole in the
> firewall between your network and the IP causing troubles rather than
> allowing all port 443 connections.

Didn't want to do this w/o understanding the problem and have it
come back to byte us again with a different site.

> Realize that some poorly implemented sites do not work with proxies.
> It's just a fact of life--we don't like it, but we probably can't get
> away with beating the people responsible with sticks until they fix
> their sites, either. So...we live with it by bypassing the proxy for
> those sites (and secretly put voodoo hexes on them...I bet WorldCom had
> a few sites that were incompatible with proxies, and you see what
> happened to them).

<sigh> Yes, of course, you're right. And, if I had the time, I'd work
more closely with the site administrator to actually figure out the
problem. But, we've decided that logging port 443 traffic in this
way is not a priority, so we've decided to side-step the proxy in our
proxy.pac with (essentially),

if (isInNet(host, "127.0.0.1", "255.255.255.255") ||
    shExpMatch(url, "https:*")
return "DIRECT";

Just the same, this problem is on my long-term list of things to
research. Could be that something else will jangle the bell and
perhaps we'll have more time to research it more fully.

Thanks everyone for responding. I love this list.

deb

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
          There are 010 types of people in the world:
      those that understand binary, and those that don't.
τΏτ
 ~ 
Received on Thu Aug 15 2002 - 11:48:59 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:38 MST