[squid-users] Youtube "challenges"
Amos Jeffries
squid3 at treenet.co.nz
Wed Feb 24 21:33:57 UTC 2016
On 24/02/2016 7:44 p.m., Darren wrote:
> Hi
>
> and thanks for the feedback. I have Splice running OK however want I
> really want to do is to allow the splice when a user opens a link
> that navigates to https://www.youtube.com/embed/blahblah but not
> allow the user just to go directly to https://www.youtube.com and
> access the full site.
>
Okay. You are at the very limit of what you can do without installing
your CA certificate on the clients.
Squid SSL-Bump is able to go further and meet your needs by using the
'bump' action on the traffic identified as YT. But only if the client
accepts the forged cert Squid produces.
- problem the first: installing your CA on the client devices
- problem the second: Google cert pinning. Custom installed CA
apaprently overide this so fingers crossed.
> I can append a key to the https://www.youtube.com/embed/blahblah url
> that squid could use in the ACL but I am unsure if the query would be
> visible at that point to allow the Splice to be allowed only if this
> key is present.
No. Without full bumping all Squid (or anythign else) has to work with
is raw-IPs, possibly SNI details, and server cert details.
What varies between software is simply how the bumping and CA cert
installation operates.
Amos
More information about the squid-users
mailing list