Re: [squid-users] transparent squid + clamav + https

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>
Date: Mon, 15 Mar 2010 10:25:59 -0600

Le Lundi 15 Mars 2010 05:30:11, Stefan Reible a écrit :
> Hi,
>
> for my exam I want to set up a transparent proxy with http and https
> under gentoo linux.
>
> The transparent http proxy with clamav ist working very nice, but now
> i have problems with the implementation of ssl. My first idea was, to
> break down the encryption at the squid, an then create a new one.
>
> http://wiki.squid-cache.org/Features/SslBump
>
> Is this possible? I think the problem is, that if someone opens an
> https encrypted website like https://google.de he gets the certificate
> from the proxy in his browser, not from the webserver. This wouldn`t
> be so fine..
>
> Do you have any solutions, informations or ideas for this problem?
>
> Thanks, Stefan
>
> PS: I have an secound problem with downloading big files, is it
> possilbe to send any infos about the download progress to the
> webbrowser? Like opening an ajax script or something else.

There are 2 ways you may do that.

1. Use 3.1's sslbump capabilities. However you need a CA already installed in
your clientes to avoid the non-confidence windows of browsers about ssl cert.
But this won work in transparent mode. Just explicit.

2. Use de DynamicSSLCert branch code.
https://code.launchpad.net/~rousskov/squid/DynamicSslCert
Not available at 3.1, but at 3.2 (can Ammos or Henrik confirm this?). However
you still need the CA and this could work in transparent mode.

LD
Received on Mon Mar 15 2010 - 16:25:49 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 15 2010 - 12:00:04 MDT