I had a similar problem. Transparente proxy is incompatible with SSL, as far
as I know. Configuring each computer to use a proxy - either manually or by
script - is time consuming.
So I decided to use WPAD+Squid. Problem solved. The drawback is the overhead
in the internal web server. Everytime a new browser session is initiated,
the browser connects to the internal web server to identify how to reach the
Internet. The advantage is that you can do filtering using WPAD, too.
I don't know if it will work for you, so... good luck!
Rgds
Marcello
----- Original Message -----
From: "Matthew Young" <myoung24...@gmail.com>
To: "Bob Beck" <b...@ualberta.ca>; <misc@openbsd.org>
Sent: Thursday, October 29, 2009 5:57 PM
Subject: Re: PF challenge dealing with HTTPS URL restriction policies..
would it help, other possible solution?
Hello,
If I use a reverse proxy I would have to know the SSL key of the
remote SSL site. (gmail.com) so that the reverse proxy server would
decrypt and encrypt. Iam not mistaken.
-- Matt
On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck <b...@ualberta.ca> wrote:
apache or other reverse proxy.
2009/10/29 Matthew Young <myoung24...@gmail.com>:
Hello,
Iam looking for a way to have an allowed list of SSL enabled sites
that a end user can browse, but this entirely done on a server level
with _zero_ configuration on the pc.
In a dream world, squid would be able to tranparently proxy https and
thus I would create an allowed list of ssl sites specific to each LAN
user (based on private IP or MAC) that he/she can access. As we know
this isnt the case because this breaks SSL.
Does anybody know a way I can actually accomplish this?
My Thoughts:
I thought of a way to then take my list of SSL enabled sites
(gmail.com for example) and resolve the domain to an IP and then add
it in a firewall so that X user has
access to port 443 for only those specific IPs. However the downside
to this is that if gmail (or any other site i do this) changes the IP
(which they will) the firewall rule which is static would need an
update. Besides gmails https hostname resolves to the same IP of
google.com A records so I would be fiddling with those at the same
time and thus basically be allowing or disallowing the entire google
domain when I truely really wanted just an access list of gmail.com.
Would there be a way to make then some type of sniffer which would
capture when users try to enter a https site and then somehow create a
dynamic rule of some kind to let traffic out based on an allowed list?
There must be a practical way, right guys?
Thanks
--Matt
