[squid-users] Peek'n Splice (ssl_bump) and authentication Somewhat OT: Content Filter with https
Amos Jeffries
squid3 at treenet.co.nz
Fri Jun 10 03:12:28 UTC 2016
On 10/06/2016 2:26 p.m., Sergio Belkin wrote:
> 2016-06-08 20:30 GMT-03:00 Marcus Kool <marcus.kool at urlfilterdb.com>:
>
>>
>>
>> On 06/08/2016 07:53 PM, Sergio Belkin wrote:
>>
>>>
>>> Thanks Eliezer, good summary. I've changed the subject to reflect better
>>> the issue. As far I undestand from documention one can bump https only by
>>> interception.
>>>
>>
>> No. ssl-bump works very well with regular proxy mode, i.e. the browsers
>> configure the address and port of the proxy or use PAC.
>>
>> But what about if one Windows user login against an Active Directory, will
>>> the authenticacion work to use the proxy?
>>>
>>> I mean, what I'd want is:
>>>
>>> - Only users of an Active Directory can use the proxy
>>>
>>
>> In regular proxy mode, authentication and peek+splice works fine.
>> Note that peek+splice does not require Squid CA certificates on the
>> clients.
>>
>
>
>
> With peek+splce I block urls without CA certificates on the clients?
> Remember I mean urls, not only domains!
The *URL* is buried inside the encryption.
The server hostname (aka 'domain' to some) is available in the
plain-text metadata.
Peek+Splice only uses the metadata. No decryption.
So ... *URL* is never available when splice'ing traffic regardless of
what you do to the clients.
Amos
More information about the squid-users
mailing list