[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Fwd: [m0n0wall] dansguardian squid transparent proxy rdr
 Date:  Thu, 28 Dec 2006 16:57:12 +0000
Hi,

In message
<6207f7d90612271235g6be87652v76ac13e8e52cf61a at mail dot gmail dot com>, Don
Munyak <don dot munyak at gmail dot com> writes
>---------- Forwarded message ----------
>From: SDamron <sdamron at gmail dot com>
>Date: Dec 27, 2006 1:44 PM
>Subject: Re: [m0n0wall] dansguardian squid transparent proxy rdr
>To: Don Munyak <don dot munyak at gmail dot com>
>Cc: m0n0wall at lists dot m0n0 dot ch
>
>
>Yeah, and you can't.  If you do not want them to be able to surf their
>bank accounts, or check their web based email using SSL, they you
>either block SSL (port 443) or you block specific sites, one or the
>other.  I work for a company where we have over 60 proxy servers which
>feed upstream to a reverse proxy, and we have to do it the same way,
>there is no way to filter anything that is connected using SSL, you
>either block SSL, or the sites.
>
>
>What a monkey-nut I is :)
>
>After I re-read this a few times it occurred to me that even if I
>could redirect the ssl connection, the simple fact that the connection
>is encrypted would prevent dansguardian from filtering the packet
>details.

You need to use the proxy by configuring your clients to use it, and not
using an intercepting proxy.  When the browsers are configured for the
proxy they will send a CONNECT request.  You will then be able to block
based on the destination server (domain name or IP address), but you
won't see the URL path at all.

This means you still have a log of what server the user connected to but
not exactly what they did whilst they were there.  Which is the best
you'll get without breaking the certificate chain and having the user
prompted on each request (which is technically possible but really
screws around with the authenticity of a secure connection).

HTH,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk