Re: [squid-users] ssl port 443

From: Dwayne Hottinger <dhottinger@dont-contact.us>
Date: Wed, 12 Apr 2006 10:40:27 -0400

Quoting Merton Campbell Crockett <m.c.crockett@adelphia.net>:

>
> On 12 Apr 2006, at 06:49 , Dwayne Hottinger wrote:
>
> > Sirs,
> >
> >
> > I would like to have all internet requests go through my proxy
> > server. My
> > firewall now redirects all port 80 requests to my proxy server, I
> > would like to
> > have port 443 requests go their also, because my filtering software
> > resides on
> > the proxy server, and to get around the filter, all one has to do
> > is use https:
> > and they are no longer subject to the rules. I read through the
> > faq on https:
> > and it doesnt look like this is what I want. I added a rule to my
> > firewall to
> > redirect port 443 traffic to my proxy server and it doesnt seem to
> > work
> > (timeouts), plus I have nothing in either cache.log or access.log
> > to indicate
> > that https: traffic is connecting. Do I have to do another build
> > of squid and
> > --enable-https: or is this only for reverse proxy for my internal
> > servers? Or
> > can I add an acl to address https traffic and if so, what? I am
> > running Squid
> > Cache: Version 2.5.STABLE6
> > configure options: --enable-storeio=diskd,ufs --enable-
> > smartfilter. Redhat
> > linux 8 kernel 2.4.19.
>
>
> Dwayne:
>
> This is not going to work. The only time that anything will be
> visible is during the initial establishment of the SSL connection
> between the client (browser) and the server. After the SSL
> connection is established, the HTTP request from the client and the
> HTTP response from the server are encrypted. You won't be able to
> apply your filtering rules.
>
> I am not part of the Squid development team and haven't used the
> HTTPS features. This feature only makes sense when Squid is being
> used as a front-end to a server where the SSL connection is being
> established between the client and the Squid proxy server with
> communications between the Squid proxy server and the HTTP server
> being performed without encryption.
>
> I'm sure that the Squid development team will correct me if I am wrong.
>
>
> Merton Campbell Crockett
> m.c.crockett@adelphia.net
>
>
>
Thanks,
That is what I was thinking. Does anyone know of another way to handle this?

--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools
Received on Wed Apr 12 2006 - 08:40:37 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT