Re: https permit/deny

["Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>]

vects escreveu:
> On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote:
>   
>>     Never used l7 for doing that kind of filtering, dont know if it's 
>> possible.
>>
>>     Anyway, if you need some hard filtering based on URLs, both http and 
>> https, i would recommend that you use an http/https proxy, just like 
>> squid, for doing that.
>>
>>     Completly block https (TCP/443) traffic with iptables and get your 
>> clients for use an http/https proxy and does the filtering there. I'm 
>> pretty convinced it will be easier and you'll have a lot more 
>> flexibility on the rules. Squid's ACLs are pretty flexible, you should 
>> give it a try.
>>     
> Does it work in transparent mode ( I mean for https)? 
> I just can't tell all clients to use squid by phone, https filtering
> must be hidden for them. As I know the latest squid supports totally
> transparent mode, is that working for https also?
>   

    httpS simply cant be treated in completly transparent modes, because 
that would be detected as a 'man-in-the-middle' attack by the browser 
and would break the end-to-end criptography that SSL/TLS uses.

    http can be completly transparent, but https cannot.

    Anyway, if you search the archives, you'll find that it's a common 
opinion that iptables it not the right place, even with layer7 patches, 
to do complex layer7 filtering. It can even do some application 
filtering, but it's not supposed for replacing application proxy tools, 
just like squid for http/https. Complex rules can be applied in an 
easier and more flexible way in the application layer, with an 
appropriate application proxy.

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it