Date: Mon, 5 Mar 2007 16:50:19 +0100 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Bart Silverstrim <bsilver@chrononomicon.com> Cc: FreeBSD Mailing Lists <freebsd-questions@freebsd.org> Subject: Re: Proxy question Message-ID: <20070305165019.5195d1f8@localhost> In-Reply-To: <52B6695D-7CA1-4B3F-8101-A167D57C52A2@chrononomicon.com> References: <52B6695D-7CA1-4B3F-8101-A167D57C52A2@chrononomicon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_G=hQEJ0XjglPvr2F=B_LO=t Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Bart Silverstrim <bsilver@chrononomicon.com> wrote: > We are currently running Squid and SquidGuard on FreeBSD for =20 > monitoring/proxying web browsing activity at our workplace. The =20 > problem is that some users figured out how to use a specific type of =20 > proxy to bypass protections...specifically, they're going through an =20 > https site. >=20 > Is it possible to run a proxy that can monitor https connections and =20 > block them if necessary? To monitor https connections the proxy has to run a man in the middle attack and unless you change the certificates on the clients, this will cause browser warnings and confuse users. Depending on your country it may also be illegal if you don't inform the users about it, but of course that's true for monitoring in general. If you're only talking about blocking SSL connections to hosts that aren't white-listed, you can simply block CONNECT requests on the proxy and use a packet filter to make sure the clients can't just bypass the proxy. I assume that Squid itself can block CONNECT requests based on the hostname, but if it can't, you could add Privoxy to your proxy chain to do that. Fabian --Sig_G=hQEJ0XjglPvr2F=B_LO=t Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF7DxoBYqIVf93VJ0RAqwUAKCpxUIO+qw8DFfFRtEuoSp/slQZoQCdEBHT GZ+b6uR9PB58eaKYw/bAPq8= =qiTA -----END PGP SIGNATURE----- --Sig_G=hQEJ0XjglPvr2F=B_LO=t--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070305165019.5195d1f8>