On 27/07/14 16:00, Dr.x wrote:
hi all ,
i have 2 questions.
1- why when i make a normal squid with normal http port , and i direct my
browser to ip/port it can block https facebook
Because the browser is aware of the cache and issues CONNECT requests
for SSL sites. Squid can see these and block them,
while
if it was transparent proxy it cant block https facebook ??
You can't use CONNECT with a transparent proxy as it implies the client
has been configured with a proxy (which would not be transparent).
im talking about im configuraing normal http proxy not https !
wish a clarification.
2-now if i use ssl pump and used transparent tproxy with https ... can i buy
a trusted certificate and install it on squid and the users will not face
"certificate not trusted" message ?
NO! This is about the 3rd or 4th time this question has appeared on this
list. You can't use a cert from a commercial provider because you need
the cert's private key to produce new certs signed by it (which the cert
provider will not give you in a million years). If this worked it would
make SSL useless.
i mean , in production network with much users , i need to block https
youtube/facebook while keep using transparent tproxy.
You need to create your own CA, import the CA cert into your client
browsers (which will get rid of the warning) and use the key to do
dynamic cert generation in squid. Then it is possible to do either WPAD
based browser config, or, I think (harder) do TPROXY with bumping.
NB unless you can import your own CA cert into all client browsers you
*WILL* get certificate validation failures in the browser.
Cheers
Alex
with to help
regards
-----
Dr.x
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/why-squid-can-block-https-when-i-point-my-browser-to-port-and-cant-when-its-transparent-tp4667069.html
Sent from the Squid - Users mailing list archive at Nabble.com.