[squid-users] How to configure a "proxy home" page ?

Mon Mar 26 13:11:05 UTC 2018

26.03.2018 15:33, Matus UHLAR - fantomas пишет:
>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>
>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>> that.
>>>>>>
>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>> office
>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>> instructions
>>>>>> from the page. This works, but an automatic splash page would be
>>>>>> more
>>>>>> elegant.
>>>
>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>> page shows
>>>
>>> On 25.03.18 18:44, Yuri wrote:
>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>> implemented already.
>
>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>> it's possible to install splash page, but not install trusted authority
>>> certificate.  Using such authority on a proxy is the MITM attack and
>>> whole
>>> SSL has been designed to prevent this.
>
> On 25.03.18 21:41, Yuri wrote:
>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>
> it's not, you must break throught it to allow ssl-bump by installing your
> CA certificate.  You haven't explained how to do that automatically
> although
> you claim it's possible.
>
> Please provide evidence.
Waaaaaaa. No. My misunderstanding. Of course, not automatically.
>
>>> without certificate, the browser complains which is a security measure
>>> against this.
>
>> Sure. It should.
>
> and it does. unless you tweak it not to, which must be configured
> manually
> (please provide evidence if not).
Exactly. I'm talking only about it. My misunderstanding.
>
>>>>> up and in such case the splash page is irelevant.
>>>>>
>>>>> If you have windows domain, you can force security policy through it.
>>>
>>>> In enterprise environment with AD, yes. But hardly in service
>>>> provider's
>>>> scenarious.
>>>
>>> service providers should not do this without users' permission.
>>> at least not in countries where the privacy is guaranteed by law.
>
>> Thank you, Captain Obvious. :-) Enterprises also should get user
>> agreement before do that. Especially in BYOD scenarious.
>>
>> All these things are well known here. The question was about technical
>> implementation, and not about the well-known truisms in the field of
>> security and privacy (in most cases of ephemeral).
>
> maybe you know that, but many of people asking for ssl bump how-to do not
> know that.
A bit disagree.

This has been repeated so many times here and in Wiki that it's hard to
imagine that someone does not already know this.

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/977ef1a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/977ef1a1/attachment.sig>