[squid-users] How to configure a "proxy home" page ?

Yuri yvoinov at gmail.com
Sun Mar 25 20:49:01 UTC 2018



26.03.2018 02:45, Amos Jeffries пишет:
> On 26/03/18 04:41, Yuri wrote:
>>
>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>> that.
>>>>>>
>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>> office
>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>> instructions
>>>>>> from the page. This works, but an automatic splash page would be more
>>>>>> elegant.
>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>> page shows
>>> On 25.03.18 18:44, Yuri wrote:
>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>> implemented already.
>>> it's possible to install splash page, but not install trusted authority
>>> certificate.  Using such authority on a proxy is the MITM attack and
>>> whole
>>> SSL has been designed to prevent this.
>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
> As all our SSL-Bump documentation should be saying:
>
>    when TLS is used properly SSL-Bump *does not work*.
>
> A client checking the cert validity and producing _its own_ error page
> about missing/unknown/untrusted CA is one of those cases. Since the
> client is producing the "page" itself there is no possibility of Squid
> replacing that with something else.
Amos,

squid is irrelevant here. "Used properly" and "Implemented properly",
and, especially, "Designed properly" - which means "Secure by design",
like SSH or The Onion Router.

HTTPS is *NOT*.

Security should not be dependent from client/user behaviour. For
example, End-to-end security in IM. It is completely independent from user.

If HTTPS permits MiTM in theory and practice by any manner - it is
insecure by design. Point.

>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/2bd7988d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/2bd7988d/attachment.sig>


More information about the squid-users mailing list