Michael Renner wrote: > On Sunday 26 September 2004 18:32, Henrik Nordstrom wrote:
>> Why do you want to transparently intercept https tunnels? What is wrong >> with using NAT/Masquerade? > We had a NAT/Masquerade network before, with open ports 80 and 443. The > users are not allowed to do anything else than http and https. But they > are clever enough to tunnel ssh (or much more: pppssh-tunnel) through the > open ports. > So we closed the ports and made this transparent proxy. This won't help - users can tunnel through a transparent proxy in a similar manner using HTTPS. Due to the design of SSL, the proxy cannot see the traffic itself - it just opens a connection to the remove server and passes traffic back and forth. > An other reason are visitors: They should not have to reconfigure theire > notebook while they are in our institute. Why not? You can make it easy by taking a few steps: 1) Setup WPAD, which most browsers support. There's an FAQ on it: http://www.squid-cache.org/Doc/FAQ/FAQ-5.html#ss5.10 2) Redirect port 80 and 443 to a web server that serves a single page telling users how to configure their browser to use the proxy. Adam
