Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
Hello, i have a transparent proxy with squid and dansguardian, i can deny pages via http protocol, but i cannot deny pages with https protocol like: https://imo.im, i was reading and i dont find a way to fix this problem, can anybody help me with a solution about it?
if you redirect port 443 to 3128 or proxy listening port, tranparent squid proxy wont handle https(because https is encrypted protocol).are you access internet with proxy setting or without proxy setting on your web browser (actually if you setup transparent proxy you dont need to add proxy setting on web browser)??. I think there are some useful discussion about transparent proxy on this forum
rossonieri#1, the Squid FAQ clearly states that it only does transparent proxying for HTTP. Regardless, the only way for Squid (or any other proxy server, for that matter) to achieve an effect similar to transparent proxying for HTTPS is to conduct a man-in-the-middle attack with or without the client's consent. Keep in mind this implies issuing your own digital certificate and getting it accepted by the clients. There are HOWTOs on how to do this with Squid. So yes, kirukan is absolutely correct, simply redirecting port 443 to Squid won't ever work like it does for port 80.
You can always use IP tables to drop the packets at the firewall
But that would kinda suck, since you'd need to be constantly aware of any changes in IPs for the domain, putting you at risk for false access grants and denials. IMHO, the most effective means to block access to specific HTTPS sites is to stop doing SNAT for port 443 and instead make clients connect to Squid for that. Then it becomes as simple as making a Squid ACL.
nice catch. ya i know that squid by default doesnt do https transparent proxying (and or any other ports except 80 & 21). Actually i agreed with both you and kirukan in terms default squid https handling - but as you mentioned also actually it can do https transparent proxying by issuing cert on behalf the squid client (or somekind of legitimate MITM).
yess well, I concern about allowing all https sites in a common way but by this ssl certificate method which is mentioned on squid website is only for known https sites. If we want to allow some specific or known https sites, this method may be suitable. But my point is that i am going to setup a transparent proxy for public. In this situation how does the method can be effective(can we add all https websites one by one?)
It is known fact that in the real world we dont know how many https sties are available. At this instance do u prefer this ssl certificate method??
that was only an example using some known secure sites as target, but in the real world we take it as https/SSL termination - that is how this SSL & SSL proxying thing works.
why people prefer not to proxy/cache any https/SSL request (currently - after some proxy development) were only on those some SSL termination problem and publishing certs on behalf clients. it indeed took a lot of effort.
secure means you've consciously trusted both end-points (server and client) - so you need to explicitly define which your target domain is. - otherwise, all this secure thing (SSL) will fall off to basic unsecure http connection.