[squid-users] Peek'n Splice (ssl_bump) and authentication Somewhat OT: Content Filter with https

Sergio Belkin sebelk at gmail.com
Wed Jun 8 22:53:05 UTC 2016 

2016-06-08 19:09 GMT-03:00 Eliezer Croitoru <eliezer at ngtech.co.il>:

> Hey Sergio,
>
>
>
> There are couple approaches to content filtering in the Linux world and in
> other spaces.
>
> Squid is open source and gives a lot but there are other ideas and ways to
> perform content filtering.
>
> Squid was designed for caching and does things in a specific way while
> other solution might give a feature that would work "without interception".
>
> On http it is doable to perform filtering in a very efficient way that is
> similar to Squid's PEEK and SPLICE but there is a need in some level of
> Interception in one step or another to perform the actual "block" operation.
>
> I do not know about Open Source products that offers everything and it is
> very simple to understand why.
>
> What I know about are
>
> -          Squid + external tools(such as SquidGuard, ufdbguard, others)
>
> -          Ntop layer 7 filtering
>
> -          Custom DPI iptables modules
>
> -          NFQUEUE based IPS\IDS which can act as a url filtering engine
>
>
>
> Consider that if you require only filtering and not caching then you can
> get very high performance from many applications.
>
> The fact that Squid was designed for Caching doesn't mean that you need to
> use it.
> Also there are couple cases which caching will hold your line and users
> speed.
>
>
>
> The best case scenario would be to not Intercept the traffic into squid
> while in many cases it is not possible.
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> rg <http://www.lpi.org>
>


Thanks Eliezer, good summary. I've changed the subject to reflect better
the issue. As far I undestand from documention one can bump https only by
interception.
But what about if one Windows user login against an Active Directory, will
the authenticacion work to use the proxy?

I mean, what I'd want is:

- Only users of an Active Directory can use the proxy
- Block certains urls

Is that possible with squid+ufwdbguard?

Or should I use other tools/ways just like you mentioned?

Thanks in advance!

-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160608/ecb5b8f4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 11308 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160608/ecb5b8f4/attachment-0001.png>

More information about the squid-users mailing list