[squid-users] How to configure a "proxy home" page ?

Yuri yvoinov at gmail.com
Sun Mar 25 22:03:12 UTC 2018



26.03.2018 03:55, Amos Jeffries пишет:
> On 26/03/18 10:16, Yuri wrote:
>>
>> 26.03.2018 03:02, Amos Jeffries пишет:
>>> On 26/03/18 09:49, Yuri wrote:
>>>> 26.03.2018 02:45, Amos Jeffries пишет:
>>>>> On 26/03/18 04:41, Yuri wrote:
>>>>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>>>>>> that.
>>>>>>>>>>
>>>>>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>>>>>> office
>>>>>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>>>>>> instructions
>>>>>>>>>> from the page. This works, but an automatic splash page would be more
>>>>>>>>>> elegant.
>>>>>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>>>>>> page shows
>>>>>>> On 25.03.18 18:44, Yuri wrote:
>>>>>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>>>>>> implemented already.
>>>>>>> it's possible to install splash page, but not install trusted authority
>>>>>>> certificate.  Using such authority on a proxy is the MITM attack and
>>>>>>> whole
>>>>>>> SSL has been designed to prevent this.
>>>>>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>>>> As all our SSL-Bump documentation should be saying:
>>>>>
>>>>>    when TLS is used properly SSL-Bump *does not work*.
>>>>>
>>>>> A client checking the cert validity and producing _its own_ error page
>>>>> about missing/unknown/untrusted CA is one of those cases. Since the
>>>>> client is producing the "page" itself there is no possibility of Squid
>>>>> replacing that with something else.
>>>> Amos,
>>>>
>>>> squid is irrelevant here. "Used properly" and "Implemented properly",
>>>> and, especially, "Designed properly" - which means "Secure by design",
>>>> like SSH or The Onion Router.
>>>>
>>>> HTTPS is *NOT*.
>>>>
>>> You are missing the point. Sometimes TLS *is* implemented properly.
>>>
>>> Squid is very relevant here because it is the agent producing the
>>> un-verifiable certificate. The certificate is un-verifiable exactly
>>> because Squids own CA is being used and the client does not trust that CA.
>> Waaaaaaaa, Amos, why you say "unverifiable"? 
> Because that is the situation. The client software cannot silently
> verify the certificate nor automatically install the not-trusted CA to
> cause that *previous* verification attempt to succeed.
Sure. User always should:

a) Have root/administrative privilegies to install any CA in trusted
store on client
b) Device always asks users "Hey, somebody tries to install CA with
fingerprint blah-blah-blah.... you trust them? Install? (Yes/No)"

We're not talking about forced silently push proxy CA to client, right?
>
>> You can show CA to users,
> Er, you are now going in circles.
>
> The initial problem was that it is not possible to verify the cert
> automatically *without* showing the user things. Requiring the user to
> see something to get around that problem ...
Yes. We're want just to determine - is proxy CA installed? and if not,
redirect user to page to make desicion - install/not install. Get
internet/remain locally ;)
On this page we're can inform user about all require things: our CPS,
our privacy policy, warnings, legal issues, CA fingerprint, CA issuer
etc. ;)

This seems better? All same like adult CA does :)

We're all understand we're can't silently push any CA to client ;) This
is illegal, technically impossible, insecure....... ;)
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/f7607c7b/attachment.sig>


More information about the squid-users mailing list