Proxy question
Fabian Keil
freebsd-listen at fabiankeil.de
Mon Mar 5 15:51:10 UTC 2007
Bart Silverstrim <bsilver at chrononomicon.com> wrote:
> We are currently running Squid and SquidGuard on FreeBSD for
> monitoring/proxying web browsing activity at our workplace. The
> problem is that some users figured out how to use a specific type of
> proxy to bypass protections...specifically, they're going through an
> https site.
>
> Is it possible to run a proxy that can monitor https connections and
> block them if necessary?
To monitor https connections the proxy has to run a man in the middle
attack and unless you change the certificates on the clients, this
will cause browser warnings and confuse users.
Depending on your country it may also be illegal if you don't inform
the users about it, but of course that's true for monitoring in general.
If you're only talking about blocking SSL connections to hosts
that aren't white-listed, you can simply block CONNECT requests
on the proxy and use a packet filter to make sure the clients
can't just bypass the proxy.
I assume that Squid itself can block CONNECT requests based on
the hostname, but if it can't, you could add Privoxy to your
proxy chain to do that.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070305/77e7cd09/signature.pgp
More information about the freebsd-questions
mailing list