Il 11/02/2011 19:17, R0me0 *** ha scritto:
Hello Alessandro !
Try read this
If possible, coment after try :D
Regards,
spawn
2011/2/11 Alessandro Baggi <alessandro.ba...@gmail.com
<mailto:alessandro.ba...@gmail.com>>
Hi list. I have a squid proxy with url filtering and file av scan
composed by OpenBSD 4.8 + squid-2.7-STABLE7 + squidGuard + havp,
all works fine but i'm not able to get https traffic scanned. To
avoid this, we can use squid-3.1.11 with ssl-bump feature.
At this point I've tried to set this configuration on a "linux"
host, to avoid to break my firewall, on Slackware 13.1 +
squid-3.1.11 + sslbump + c-icap + squidclamav-6.0 + squidGuard +
clamav.
from http://wiki.squid-cache.org/Features/SslBump:
Squid-in-the-middle decryption and encryption of straight CONNECT
and transparently redirected SSL traffic, using configurable
client- and server-side certificates. While decrypted, the traffic
can be inspected using ICAP.
At this point there's no needed examplation about sslbump.
All HTTP and HTTPS traffic will be scanned greatly.
I've tried also to set an env with: Slackware 13.1 + squid-3.1.11
+ sslbump + havp + clamav + squidguard. The point is that, to get
in work squid with havp, I must insert a parent (cache_peer) to
havp and then when squid get the request from a client, it sends
the request to havp, and havp tells (rightly) that the request is
an invalid request returning the havp page.
There is a method to avoid this? Or the problem is related only to
havp that could not "see" https traffic?
Another question is about security. With this method, the SSL
communication beetween two endpoint is broken with the squid in
the middle, what are the security implication using this method?
There are many pro in front of cons to use this solution?
The last question: why openbsd does not get squid-3.x instead 2.7-x?
Thanks in advance
Azz, is very very secure this solution :D. Letting the jokes, i've
ridden something about this, and I would the assurance of this.
For my second question: cause squid-3 permit mitm.
Thanks for the reply.
Best regards