[squid-users] Peek'n Splice (ssl_bump) and authentication Somewhat OT: Content Filter with https
Marcus Kool
marcus.kool at urlfilterdb.com
Fri Jun 10 10:26:46 UTC 2016
On 06/09/2016 11:26 PM, Sergio Belkin wrote:
>
>
> 2016-06-08 20:30 GMT-03:00 Marcus Kool <marcus.kool at urlfilterdb.com <mailto:marcus.kool at urlfilterdb.com>>:
>
>
>
> On 06/08/2016 07:53 PM, Sergio Belkin wrote:
>
>
> Thanks Eliezer, good summary. I've changed the subject to reflect better the issue. As far I undestand from documention one can bump https only by interception.
>
>
> No. ssl-bump works very well with regular proxy mode, i.e. the browsers configure the address and port of the proxy or use PAC.
>
> But what about if one Windows user login against an Active Directory, will the authenticacion work to use the proxy?
>
> I mean, what I'd want is:
>
> - Only users of an Active Directory can use the proxy
>
>
> In regular proxy mode, authentication and peek+splice works fine.
> Note that peek+splice does not require Squid CA certificates on the clients.
>
>
>
>
> With peek+splce I block urls without CA certificates on the clients? Remember I mean urls, not only domains!
No. To block HTTPS URLs one needs ssl_bump with peek+bump mode for all blocked URLs (see my message of June 8).
With peek+bump ufdbGuard can block anything you like and produce understandable messages to the end user.
Marcus
> - Block certains urls
>
> Is that possible with squid+ufwdbguard?
>
>
> ufdbGuard works always, independent if Squid uses interception or not.
> The issue is the messages that a browser displays for the end user (see earlier email).
>
> Marcus
More information about the squid-users
mailing list