[squid-users] Moving to transparent proxy, SSL questions

From: Shawn Wright <swright_at_shawnigan.ca>
Date: Thu, 19 Aug 2010 09:00:48 -0700 (PDT)

Regards,
We've been running squid in various forms for over 10 years using basic auth against our windows domain, and have a lengthy list of ACLs we wish to maintain. The major issue we continue to encounter is dumb devices/apps which will not proxy correctly (iTunes, Ipads/pods, Android phones, etc.) or will not do proxy auth correctly. (Skype for Mac).

Our campus of ~600 users is going wireless next month, and seamless support for wireless devices is part of the goal, while still maintaining the content control and logging we have now. I have a test proxy with squid 2.6 in transparent mode using our Cisco 6000 MSFC router to redirect using WCCP2, and this works fine for http traffic. HTTPS traffic is the problem.

For HTTPS, it seems we have two choices: use SSLbump, and tell our users to accept the cert warnings, and/or install our cert; or NAT the SSL traffic. As we are a campus environment with 500+ fill time residents including staff, SSLbump may be uncomfortable for some users, and may also not achieve the seamless experience we're seeking. NAT/Masq of traffic has been the exception over the years, so we don't attempt to log this traffic. I am interested in hearing from users who have made this transition and have found an acceptable solution to SSL traffic that allows for logging and ideally, filtering based on source and destination.

Thanks

Shawn Wright
I.T. Manager, Shawnigan Lake School
http://www.shawnigan.ca
Received on Thu Aug 19 2010 - 16:00:50 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 19 2010 - 12:00:02 MDT