My apologies for letting this discussion drop for so long. I had
a large disk volume with problems, and other demands upon my time,
so it's been difficult getting back to you...
Joe Cooper <joe@swelltech.com> had this to say,
> Your virus filter isn't doing anything with SSL connections anyway. It
> is encrypted data--virus signatures cannot be compare against encrypted
> data.
Right. But - see my next comment.
> You can configure your proxy.pac file to only go direct for that one
> site, while leaving everything else proxied as usual, or you can bypass
> the proxy for all SSL traffic. There is little benefit in proxying SSL
> traffic,
Right - we're not proxying SSL traffic, but we are attempting to
log the access of clients to secure targets. This has been an
important aspect/side-effect of proxying.
> unless you like having an application level proxy between
> clients and the big bads that live on the internet.
We may go that route in the future, but it hasn't yet been mandated.
> Choosing to bypass
> the proxy for just one site allows you to open a small hole in the
> firewall between your network and the IP causing troubles rather than
> allowing all port 443 connections.
Didn't want to do this w/o understanding the problem and have it
come back to byte us again with a different site.
> Realize that some poorly implemented sites do not work with proxies.
> It's just a fact of life--we don't like it, but we probably can't get
> away with beating the people responsible with sticks until they fix
> their sites, either. So...we live with it by bypassing the proxy for
> those sites (and secretly put voodoo hexes on them...I bet WorldCom had
> a few sites that were incompatible with proxies, and you see what
> happened to them).
<sigh> Yes, of course, you're right. And, if I had the time, I'd work
more closely with the site administrator to actually figure out the
problem. But, we've decided that logging port 443 traffic in this
way is not a priority, so we've decided to side-step the proxy in our
proxy.pac with (essentially),
if (isInNet(host, "127.0.0.1", "255.255.255.255") ||
shExpMatch(url, "https:*")
return "DIRECT";
Just the same, this problem is on my long-term list of things to
research. Could be that something else will jangle the bell and
perhaps we'll have more time to research it more fully.
Thanks everyone for responding. I love this list.
deb
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
There are 010 types of people in the world:
those that understand binary, and those that don't.
τΏτ
~
Received on Thu Aug 15 2002 - 11:48:59 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:38 MST