[squid-users] How to configure a "proxy home" page ?

Amos Jeffries squid3 at treenet.co.nz
Sun Mar 25 20:45:16 UTC 2018


On 26/03/18 04:41, Yuri wrote:
> 
> 
> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>
>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>> that.
>>>>>
>>>>> Current method is instruct everyone - with a printed paper in the
>>>>> office
>>>>> - to connect to proxy.company-name.lan and then get further
>>>>> instructions
>>>>> from the page. This works, but an automatic splash page would be more
>>>>> elegant.
>>
>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>> impossible and unsafe. The CA must be installed before such splash
>>>> page shows
>>
>> On 25.03.18 18:44, Yuri wrote:
>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>> implemented already.
>>
>> it's possible to install splash page, but not install trusted authority
>> certificate.  Using such authority on a proxy is the MITM attack and
>> whole
>> SSL has been designed to prevent this.
> Heh. If SSL designed - why SSL Bump itself possible? ;):-P

As all our SSL-Bump documentation should be saying:

   when TLS is used properly SSL-Bump *does not work*.

A client checking the cert validity and producing _its own_ error page
about missing/unknown/untrusted CA is one of those cases. Since the
client is producing the "page" itself there is no possibility of Squid
replacing that with something else.

Amos


More information about the squid-users mailing list