[squid-users] How to configure a "proxy home" page ?

Yuri yvoinov at gmail.com
Sun Mar 25 17:24:16 UTC 2018


Therefore, please, PLEASE, never mention SSL Bump and security/privacy
in one letter.O:-)

These are mutually exclusive concepts.

Just like HTTPS and security.

25.03.2018 22:00, Yuri пишет:
>
> In principle, I do not consider as secure the technology that allows
> MiTM (even in theory) - anyway, for what purpose.
>
> Since this is so - HTTPS is nothing more than a security theater with
> a green lock for calming users.
>
> This does not mean that I do not care about the security and privacy
> of users. But I provide it somewhat differently, carefully protecting
> the proxy itself, its infrastructure and its cache.
>
>
> 25.03.2018 21:41, Yuri пишет:
>>
>>
>>
>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>
>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>> That is exactly the problem. And I have yet to find a solution
>>>>>> for that.
>>>>>>
>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>> office
>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>> instructions
>>>>>> from the page. This works, but an automatic splash page would be
>>>>>> more
>>>>>> elegant.
>>>
>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>> page shows
>>>
>>> On 25.03.18 18:44, Yuri wrote:
>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>> implemented already.
>>>
>>> it's possible to install splash page, but not install trusted authority
>>> certificate.  Using such authority on a proxy is the MITM attack and
>>> whole
>>> SSL has been designed to prevent this.
>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>>
>>> without certificate, the browser complains which is a security measure
>>> against this.
>> Sure. It should.
>>>
>>>>> up and in such case the splash page is irelevant.
>>>>>
>>>>> If you have windows domain, you can force security policy through it.
>>>
>>>> In enterprise environment with AD, yes. But hardly in service
>>>> provider's
>>>> scenarious.
>>>
>>> service providers should not do this without users' permission.
>>> at least not in countries where the privacy is guaranteed by law.
>> Thank you, Captain Obvious. :-) Enterprises also should get user
>> agreement before do that. Especially in BYOD scenarious.
>>
>> All these things are well known here. The question was about
>> technical implementation, and not about the well-known truisms in the
>> field of security and privacy (in most cases of ephemeral).
>>
>> -- 
>> "C++ seems like a language suitable for firing other people's legs."
>>
>> *****************************
>> * C++20 : Bug to the future *
>> *****************************
>
> -- 
> "C++ seems like a language suitable for firing other people's legs."
>
> *****************************
> * C++20 : Bug to the future *
> *****************************

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180325/d6b4b381/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180325/d6b4b381/attachment-0001.sig>


More information about the squid-users mailing list