Hello Sven and the other, thanks for help.
I thought there is a simple and secure way to redirect to an 'This Site has been blocked' Page for HTTP and HTTPS. But when I must destroy the safety from HTTPS this isn't an option. It is a nice to have feature in my project, so the user can see this site has been blocked and there are no connection troubles (the browser error page). Greetings, Michael > "Sven Hartge" <s...@svenhartge.de> wrote: > Bob Proulx <b...@proulx.com> wrote: > > Sven Hartge wrote: > >> Michael I. wrote: > > >>> Is there really no way to redirect https request to an errorpage > >>> with squid3+squidguard? > > >> Long answer: The only way is to setup a transparent proxy, > >> intercepting any outbound connection and terminating the encryption > >> on the proxy. You will need a fake CA certificate with which the > >> proxy is able to create fake server certificates so the client still > >> thinks it is connected to the real server. > >> > >> And here it gets a) dangerous and b) expensive. > > > It is extremely bad, bad, bad, as well as dangerous. I haven't been > > following the news in great detail but read all about Komodia's recent > > news articles. Komodia's cracking tools are used in Superfish and > > Lenovo was in trouble for pre-installing Superfish. > > There are network policy/security appliances in the enterprise world, > which implement a scanning proxy for HTTPS. They come with a either a > wildcard certificate for * (signed by a valid CA!) or a fake CA > certificate, which you install onto your computers to enable the > appliance to function. > > This is of course very dangerous if you don't know what you are doing, > but sometimes there are no other options (for example HIPAA, SOX, PCI, > ...) if you have to absolutley control the flow and content of data. > > But then, if you are in the area where you need such > MitM-Filter-SSL-breaking-proxies, then you already know of how to do it > and when to do it. > > If you don't know how to do it and when to do it, chances are, you don't > need it. > > Guessing from Michaels TLD, he is German. This means there are several > other things to consider, based on the environment this is done in. If > this is for a company or govermental agency, the Betriebsrat (works > council) or the Personlrat and the local Datenschutzbeauftragter (data > security official) has to be involved. > > Grüße, > Sven. > > -- > Sigmentation fault. Core dumped. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: https://lists.debian.org/kbfqc92ro...@mids.svenhartge.de > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/trinity-16611559-8bb9-4e79-9f61-9b027df65c5b-1427099581524@3capp-gmx-bs01