Re: https permit/deny

All of lore.kernel.org
 help / color / mirror / Atom feed

From: vects <alexc@actcom.co.il>
To: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
Cc: netfilter@lists.netfilter.org
Subject: Re: https permit/deny
Date: Sun, 11 Feb 2007 18:55:55 +0200	[thread overview]
Message-ID: <1171212955.25395.104.camel@act17.actcom.co.il> (raw)
In-Reply-To: <45CF5652.8050306@solutti.com.br>

On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues MagalhÃ£es wrote:
>     Never used l7 for doing that kind of filtering, dont know if it's 
> possible.
> 
>     Anyway, if you need some hard filtering based on URLs, both http and 
> https, i would recommend that you use an http/https proxy, just like 
> squid, for doing that.
> 
>     Completly block https (TCP/443) traffic with iptables and get your 
> clients for use an http/https proxy and does the filtering there. I'm 
> pretty convinced it will be easier and you'll have a lot more 
> flexibility on the rules. Squid's ACLs are pretty flexible, you should 
> give it a try.
Does it work in transparent mode ( I mean for https)? 
I just can't tell all clients to use squid by phone, https filtering
must be hidden for them. As I know the latest squid supports totally
transparent mode, is that working for https also?

Thanks, Alexc.

> 
> 
> vects escreveu:
> > Hi,
> >
> > I'm looking for solution of the next problem, I have to enable/disable
> > an access to list of https web servers, I don't know in advance IPs of
> > them, permit rule must be based of the url user typed in location bar.
> >
> > Is possible to do that by iptables and extentions?
> > I thought about l7 filter.
> >
> >   
>

next prev parent reply	other threads:[~2007-02-11 16:55 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-11 16:21 https permit/deny vects
2007-02-11 17:45 ` Leonardo Rodrigues Magalhães
2007-02-11 16:55   ` vects [this message]
2007-02-11 18:42     ` Leonardo Rodrigues Magalhães
2007-02-13  7:28       ` vects
2007-02-13  7:58         ` Frank Petran

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1171212955.25395.104.camel@act17.actcom.co.il \
    --to=alexc@actcom.co.il \
    --cc=leolistas@solutti.com.br \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.