[squid-users] How to configure a "proxy home" page ?

Amos Jeffries squid3 at treenet.co.nz
Sun Mar 25 21:55:29 UTC 2018


On 26/03/18 10:16, Yuri wrote:
> 
> 
> 26.03.2018 03:02, Amos Jeffries пишет:
>> On 26/03/18 09:49, Yuri wrote:
>>>
>>> 26.03.2018 02:45, Amos Jeffries пишет:
>>>> On 26/03/18 04:41, Yuri wrote:
>>>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>>>>> that.
>>>>>>>>>
>>>>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>>>>> office
>>>>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>>>>> instructions
>>>>>>>>> from the page. This works, but an automatic splash page would be more
>>>>>>>>> elegant.
>>>>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>>>>> page shows
>>>>>> On 25.03.18 18:44, Yuri wrote:
>>>>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>>>>> implemented already.
>>>>>> it's possible to install splash page, but not install trusted authority
>>>>>> certificate.  Using such authority on a proxy is the MITM attack and
>>>>>> whole
>>>>>> SSL has been designed to prevent this.
>>>>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>>> As all our SSL-Bump documentation should be saying:
>>>>
>>>>    when TLS is used properly SSL-Bump *does not work*.
>>>>
>>>> A client checking the cert validity and producing _its own_ error page
>>>> about missing/unknown/untrusted CA is one of those cases. Since the
>>>> client is producing the "page" itself there is no possibility of Squid
>>>> replacing that with something else.
>>> Amos,
>>>
>>> squid is irrelevant here. "Used properly" and "Implemented properly",
>>> and, especially, "Designed properly" - which means "Secure by design",
>>> like SSH or The Onion Router.
>>>
>>> HTTPS is *NOT*.
>>>
>> You are missing the point. Sometimes TLS *is* implemented properly.
>>
>> Squid is very relevant here because it is the agent producing the
>> un-verifiable certificate. The certificate is un-verifiable exactly
>> because Squids own CA is being used and the client does not trust that CA.
> Waaaaaaaa, Amos, why you say "unverifiable"? 

Because that is the situation. The client software cannot silently
verify the certificate nor automatically install the not-trusted CA to
cause that *previous* verification attempt to succeed.

> You can show CA to users,

Er, you are now going in circles.

The initial problem was that it is not possible to verify the cert
automatically *without* showing the user things. Requiring the user to
see something to get around that problem ...

Amos


More information about the squid-users mailing list