[squid-users] Re: SSL-proxy filtering

From: Henrik �sterlund Gram <[email protected]>
Date: Thu, 31 Mar 2005 01:34:52 +0200

On Thu, 31 Mar 2005 00:26:06 +0200 (CEST), Henrik Nordstrom
<hno@squid-cache.org> wrote:
> On Wed, 30 Mar 2005, [ISO-8859-1] Henrik �sterlund Gram wrote:
>
> > As I understand from the FAQ and some old mails from 2000 in the
> > archive, filtering https urls or content is not supported -
>
> Correct, you can only filter https by destination server name, not
> complete URL.
>
> > and that is is so primarily for political reasons.
>
> No, purely technical reasons. The URL is encrypted by SSL and not visible
> to the proxy. All the proxy sees is a bidirectional stream of random data.

I realize that, but I also realize that there are a number of
(commercial) products available that accomplish this. It should be
possible to simply act as an SSL server yourself and while the
certificates would be different (the proxy's) seen from the actual
client and server's perspective, at least it could work.

The alternatives for any company wanting some security is either
disable https entirely or find a way to inspect and filter the data.
I think you would find most wanting to still support https while not
exposing themselves needlessly.

Regards
Henrik Gram
Received on Wed Mar 30 2005 - 16:34:56 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:03 MST