2011/3/23 David Barbero <[email protected]>: > Yehuda Katz <[email protected]> ha escrito: > >> On Wed, Mar 23, 2011 at 2:56 PM, David Barbero >> <[email protected]>wrote: >> >>> Alberto Mijares <[email protected]> ha escrito: >>> >>>> Squid can not store in cache the content from https traffic; however, >>>> you are still able to create ACL's to control the access to this >>>> URI's. >>>> >>>> Check out your ACL. >>>> >>> >>> Squid cannot stored and cannot filtering https connetions, when the >>> client >>> open a https conection the squid only make a tunnel from client to >>> server, >>> don't see anything of content or URL (Only see destination IP), the only >>> way >>> to block https connetions is filter by destination ip in pf or acl (I'm >>> not >>> sure if this work properly with squid acl), but squid o squidguard can't >>> filter a SSL connection directly. >>> >> >> That is absolutely wrong, Squid (with SquidGuard) in a TRANSPARENT >> PROXY configuration can not filter https traffic. >> If you are using explicit proxy settings in your browser, https (and just >> about any other protocol) can be filtered. >> As I said earlier in this thread, I have the exact configuration that the >> original poster was looking for: >> - SquidGuard filters according to a third-party blacklist of websites. >> - All ports that are handled by Squid/SquidGuard, including 80 (http) and >> 443 (https) are redirected by the pfSense (using a NAT rule) to an error >> page explaining how to set up a proxy in different browsers. >> - We are not using Squid for the purpose of caching, only filtering >> (limited >> hard drive space, otherwise we might) >> >> If anyone wants specific details about how to set up this configuration, I >> might be able to help you as my time allows. >> >> - Yehuda >> > > The thread talk of transparent proxy and I just talked about transparent > proxy, so it is not wrong, that's right, if we put the direct proxy it would > be wrong :P > > Cheers. > > -- > "Linux is for people who hate Windows, BSD is for people who love UNIX" > "Social Engineer -> Because there is no patch for human stupidity" > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > >
squid is naturally not a content filter/blocking system, even if you can block sites/IP's and ports or any combination with him ;-) squid can block https access to specific sites and generally to the https ports another question in this schema: "how secure would https be, if you can transparent proxying it and hunt a content filter on it?" :O i suggest the extended use of the all knowing oracle "google" for a bit fun: put *.facebook.com into your dns-masquerader and lead him to the internal IP of the firewall or to 127.0.0.1 :D (* -> www, or whatever else, i am not aware if the dns-forwarder can match wildcards) Deny all other DNS beside the access to the firewall. regards -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
