Re: [squid-users] problem with https-requests

From: Hans Juergen von Lengerke <[email protected]>
Date: Fri, 18 Jan 2002 13:02:20 +0100 (CET)

Heinz Ahrens <xf01070@gmx.de> on Jan 18, 2002:

> Is there a possibility to resolv the problem. Perhaps it is an
> squid-problem. Is it not possible to send the real url from squid to
> the redirector squidGuard. Or isnt there a possibility for squid to
> see the real URL like https://www.ccc.de/test.exe ??? Or is there a
> security problem. I think the real url can send to the redirector,
> there is no possiblity to read the content of the file and thats ok.

It's a security/privacy issue.

Think about it, if I want to access

   https://www.mybank.com/myaccount?login=123&passwd=foobar

I don't want anyone/anything to be able to read the URL, especially not
my cache admin. If the cache admin could see the URL I couldn't use
online banking.

https is a private (because encrypted) connection between client and the
webserver that generates the content. The HTTP Request Headers are also
encrypted because otherwise privacy isn't given. So the request headers
can only be read by that webserver to which the request is directed.
So squid has no means of actually determining what URL is being called,
it only knows what server the Request is directed to.

> Please help me. I think there is a security problem if my users can
> download https - exe - files.

You can't on the URL level. You could disallow https completely or on a
server level (ie. disallow all https connects to www.ccc.de)

Hans
Received on Fri Jan 18 2002 - 05:03:18 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:53 MST