[squid-users] How to configure a "proxy home" page ?

Yuri yvoinov at gmail.com
Sun Mar 25 23:34:39 UTC 2018



26.03.2018 05:23, Amos Jeffries пишет:
> On 26/03/18 12:07, Yuri wrote:
>> 26.03.2018 05:05, Amos Jeffries пишет:
>>> On 26/03/18 11:05, Yuri wrote:
>>>> And yes, HTTPS is insecure by design and all our actions does not it
>>>> less insecure :-D
>>> We are not talking about HTTPS. Only about TLS. Because the TLS decrypt
>>> is what is "failing" at the time any of these details we are discussing
>>> are relevant.
>>>
>>> The "page" mentioned is HTML created by the _client_ as its way to show
>>> the user things. Still no HTTP(S) involvement. Squid has zero
>>> involvement with that so cannot make it do anything active (like install
>>> CA certs).
>> Exactly. Users do. And we're almost have all required tools to implement
>> user'driven helper ;)
> Yet again you are circled back to involving the user. Remember the
> original point was trying to do things *without any user* knowing or
> being involved.
I could not make such a stupid idea. It does not work out that way. The
user is always asked whether trust the installing CA certificate.

The only way known for me to make this silently - using AD group policy.

AFAIK, we're discussing usual way with catch error and redirect to page.
No more. Captive Portal, Splash, ACL etc.

>
>
> This is what I mean by "TLS used properly" - proper is when it always
> circles back to user deciding who they trust. No matter how indirectly,
> the user installs a (root) CA causing trust or allowed someone else to
> do so.
Generally speaking, yes.

I just mean, that in some other protocols you have no any possibility to
make MiTM by any way, whenever installing something or not. This
prevents any improper or malicious use of protocol.

TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise
SSH by installing any key/certs to client. Correct? This is by design?

> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/4e5fa677/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/4e5fa677/attachment-0001.sig>


More information about the squid-users mailing list