[squid-users] tproxy sslbump and user authentication
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Apr 21 12:40:55 UTC 2020
>On Tuesday, April 21, 2020, 8:29:28 AM GMT+2, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>
>> Please see the FAQ:
>> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F>
>>
>> Why bother with the second proxy at all? The explicit proxy has access
>> to all the details the interception one does (and more - such as
>> credentials). It should be able to do all filtering necessary.
On 21.04.20 12:33, Vieri wrote:
>Can the explicit proxy ssl-bump HTTPS traffic and thus analyze traffic with ICAP + squidclamav, for instance?
yes.
>Simply put, will I be able to block, eg.
> https://secure.eicar.org/eicarcom2.zip not by mimetype, file extension,
> url matching, etc., but by analyzing its content with clamav via ICAP?
without bumping, you won't be able to block by anything, only by secure.eicar.org
hostname.
>> TPROXY and NAT are for proxying traffic of clients which do not support
>> HTTP proxies. They are hugely limited in what they can do. If you have
>> ability to use explicit-proxy, do so.
>
>Unfortunately, some programs don't support proxies, or we simply don't care
> and want to force-filter traffic anyway.
of course, but it has drawbacks.
You need to create own certificate and push it to clients/applications.
Some applications may refuse the certificate anyway
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
More information about the squid-users
mailing list