[squid-users] Peek'n Splice (ssl_bump) and authentication Somewhat OT: Content Filter with https

Marcus Kool marcus.kool at urlfilterdb.com
Fri Jun 10 10:26:46 UTC 2016



On 06/09/2016 11:26 PM, Sergio Belkin wrote:
>
>
> 2016-06-08 20:30 GMT-03:00 Marcus Kool <marcus.kool at urlfilterdb.com <mailto:marcus.kool at urlfilterdb.com>>:
>
>
>
>     On 06/08/2016 07:53 PM, Sergio Belkin wrote:
>
>
>         Thanks Eliezer, good summary. I've changed the subject to reflect better the issue. As far I undestand from documention one can bump https only by interception.
>
>
>     No.  ssl-bump works very well with regular proxy mode, i.e. the browsers configure the address and port of the proxy or use PAC.
>
>         But what about if one Windows user login against an Active Directory, will the authenticacion work to use the proxy?
>
>         I mean, what I'd want is:
>
>         - Only users of an Active Directory can use the proxy
>
>
>     In regular proxy mode, authentication and peek+splice works fine.
>     Note that peek+splice does not require Squid CA certificates on the clients.
>
>
>
>
> With peek+splce I block urls without CA certificates on the clients? Remember I mean urls, not only domains!

No. To block HTTPS URLs one needs ssl_bump with peek+bump mode for all blocked URLs (see my message of June 8).
With peek+bump ufdbGuard can block anything you like and produce understandable messages to the end user.

Marcus

>         - Block certains urls
>
>         Is that possible with squid+ufwdbguard?
>
>
>     ufdbGuard works always, independent if Squid uses interception or not.
>     The issue is the messages that a browser displays for the end user (see earlier email).
>
>     Marcus


More information about the squid-users mailing list