Re: [squid-users] filter ssl traffic

From: Henrik Nordstrom <[email protected]>
Date: Thu, 13 Nov 2003 23:10:40 +0100 (CET)

On Thu, 13 Nov 2003, zidan wrote:

> I am using squid 2.5. I would like all the rules that I configured in
> squid.conf (filtering, blocking sites,
> different modules, etc.) will also apply to SSL traffic.
>
> I want the SSL connection to terminate at the squid, so all the traffic
> will be inspected as regular HTTP traffic.

Not without servere limitations

- SSL will be broken, no longer supporting client side certificates or
user selected trust in server certificates.

- You will need a custom CA to be installed in each client browser, or
else they won't trust that the proxy is the SSL server they wanted to
contact.

- Squid needs to be extended to generate fake SSL certificates in response
to CONNECT requests. (this means coding)

- Browser must be configured to use the proxy, or else the proxy will not
be able to tell what web site to fake the server side certificate for.

Regards
Henrik
Received on Thu Nov 13 2003 - 15:10:48 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:17 MST