[squid-users] https full url
xxiao8
xxiao8 at fosiao.com
Fri Jan 15 13:44:13 UTC 2016
icap/ecap are both for content-adaptation instead of being a redirector,
which implies they can work on decrypted https content(after "bump")
that includes the "effective URL", i.e. the full request URL.
what's the right approach to do content analysis when https/MITM is
turned on in squid, it has to happen after the connection is bumped, to
do things like virus-scanning, content translation,etc, all need access
to the decrypted content, not just the authority-form URI.
Dansguardian does not do https, e2guardian only does explicit https,
icap is a tcp/ip connection so that may also need to be "encrypted"
again to make sure the clear-text bumped ssl traffic is not leaked
furthermore(assuming icap is installed remotely sometimes), maybe ecap
should be used for this?
http://www.icap-forum.org/documents/glossary/icap_cats.html
"ICAP for HTTPS : Decrypt/Re-encrypts HTTPS connections and sends the
HTTP messages to ICAP servers. "
https://answers.launchpad.net/ecap/+question/169016
Thanks,
xxiao
On 01/15/2016 04:49 AM, squid-users-request at lists.squid-cache.org wrote:
> On 15/01/2016 2:08 p.m., xxiao8 wrote:
>> >In Squid http-redirector can get access to the full url, for https
>> >sslbump only gives us the host(https://host), to get a full
>> >url(https://host/path), are the only choices icap/ecap for content
>> >filtering? in this case I really don't care about the https content
>> >payload, just its http header that contains the full URL.
> ICAP/eCAP has nothing to do with it.
>
> The URL path is encrypted, so only available*after* the "bump" decrypt
> has happened.
>
> Before the decrypt Squid only has access to the authority-form URI.
> <http://tools.ietf.org/html/rfc7230#section-5.3.3>
More information about the squid-users
mailing list