[squid-users] How to configure a "proxy home" page ?

Matus UHLAR - fantomas uhlar at fantomas.sk
Mon Mar 26 09:33:08 UTC 2018


>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>
>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>> that.
>>>>>
>>>>> Current method is instruct everyone - with a printed paper in the
>>>>> office
>>>>> - to connect to proxy.company-name.lan and then get further
>>>>> instructions
>>>>> from the page. This works, but an automatic splash page would be more
>>>>> elegant.
>>
>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>> impossible and unsafe. The CA must be installed before such splash
>>>> page shows
>>
>> On 25.03.18 18:44, Yuri wrote:
>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>> implemented already.

>25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>> it's possible to install splash page, but not install trusted authority
>> certificate.  Using such authority on a proxy is the MITM attack and
>> whole
>> SSL has been designed to prevent this.

On 25.03.18 21:41, Yuri wrote:
>Heh. If SSL designed - why SSL Bump itself possible? ;):-P

it's not, you must break throught it to allow ssl-bump by installing your
CA certificate.  You haven't explained how to do that automatically although
you claim it's possible.

Please provide evidence.

>> without certificate, the browser complains which is a security measure
>> against this.

>Sure. It should.

and it does. unless you tweak it not to, which must be configured manually
(please provide evidence if not).

>>>> up and in such case the splash page is irelevant.
>>>>
>>>> If you have windows domain, you can force security policy through it.
>>
>>> In enterprise environment with AD, yes. But hardly in service provider's
>>> scenarious.
>>
>> service providers should not do this without users' permission.
>> at least not in countries where the privacy is guaranteed by law.

>Thank you, Captain Obvious. :-) Enterprises also should get user
>agreement before do that. Especially in BYOD scenarious.
>
>All these things are well known here. The question was about technical
>implementation, and not about the well-known truisms in the field of
>security and privacy (in most cases of ephemeral).

maybe you know that, but many of people asking for ssl bump how-to do not
know that. 

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton


More information about the squid-users mailing list