Is it possible for squid to intercept and apply acl's to https without actually decrypting and generating certificates etc? The conversation would go something like:
. Client makes connection to IP 1.2.3.4
. Squid intercepts the connection (but doesn't respond yet)
. Squid connects to 1.2.3.4 to obtain the hostname (CN or other identifier) of the certificate [1]
. Squid applies ACL rules to the hostname [2]
. If the ACL results in a deny then the client connection is dropped [3]
. If the ACL results in an allow then a new connection is made to the 1.2.3.4 and squid just blindly proxies the TCP connection
[1] I believe certificates can be valid for multiple hostnames, and wildcards, so this would have to be taken into account
[2] stream is encrypted, so obviously no access to URL etc
[3] dropped, because there isn't much else you can do with it, although maybe at this point a fake cert could be used to supply an "access denied" page?
The main thing I would find this useful for is simply for logging.
I've checked the docs but https_port appears to require a certificate, which isn't what I want.
Thanks
James
Received on Fri Jul 11 2014 - 11:44:00 MDT
This archive was generated by hypermail 2.2.0 : Sat Jul 12 2014 - 12:00:05 MDT