* https permit/deny @ 2007-02-11 16:21 vects 2007-02-11 17:45 ` Leonardo Rodrigues Magalhães 0 siblings, 1 reply; 6+ messages in thread From: vects @ 2007-02-11 16:21 UTC (permalink / raw) To: netfilter Hi, I'm looking for solution of the next problem, I have to enable/disable an access to list of https web servers, I don't know in advance IPs of them, permit rule must be based of the url user typed in location bar. Is possible to do that by iptables and extentions? I thought about l7 filter. Any help/hints will be appreciated very much. Thanks, Alexc. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny 2007-02-11 16:21 https permit/deny vects @ 2007-02-11 17:45 ` Leonardo Rodrigues Magalhães 2007-02-11 16:55 ` vects 0 siblings, 1 reply; 6+ messages in thread From: Leonardo Rodrigues Magalhães @ 2007-02-11 17:45 UTC (permalink / raw) To: vects; +Cc: netfilter Never used l7 for doing that kind of filtering, dont know if it's possible. Anyway, if you need some hard filtering based on URLs, both http and https, i would recommend that you use an http/https proxy, just like squid, for doing that. Completly block https (TCP/443) traffic with iptables and get your clients for use an http/https proxy and does the filtering there. I'm pretty convinced it will be easier and you'll have a lot more flexibility on the rules. Squid's ACLs are pretty flexible, you should give it a try. vects escreveu: > Hi, > > I'm looking for solution of the next problem, I have to enable/disable > an access to list of https web servers, I don't know in advance IPs of > them, permit rule must be based of the url user typed in location bar. > > Is possible to do that by iptables and extentions? > I thought about l7 filter. > > -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny 2007-02-11 17:45 ` Leonardo Rodrigues Magalhães @ 2007-02-11 16:55 ` vects 2007-02-11 18:42 ` Leonardo Rodrigues Magalhães 0 siblings, 1 reply; 6+ messages in thread From: vects @ 2007-02-11 16:55 UTC (permalink / raw) To: Leonardo Rodrigues Magalhães; +Cc: netfilter On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote: > Never used l7 for doing that kind of filtering, dont know if it's > possible. > > Anyway, if you need some hard filtering based on URLs, both http and > https, i would recommend that you use an http/https proxy, just like > squid, for doing that. > > Completly block https (TCP/443) traffic with iptables and get your > clients for use an http/https proxy and does the filtering there. I'm > pretty convinced it will be easier and you'll have a lot more > flexibility on the rules. Squid's ACLs are pretty flexible, you should > give it a try. Does it work in transparent mode ( I mean for https)? I just can't tell all clients to use squid by phone, https filtering must be hidden for them. As I know the latest squid supports totally transparent mode, is that working for https also? Thanks, Alexc. > > > vects escreveu: > > Hi, > > > > I'm looking for solution of the next problem, I have to enable/disable > > an access to list of https web servers, I don't know in advance IPs of > > them, permit rule must be based of the url user typed in location bar. > > > > Is possible to do that by iptables and extentions? > > I thought about l7 filter. > > > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny 2007-02-11 16:55 ` vects @ 2007-02-11 18:42 ` Leonardo Rodrigues Magalhães 2007-02-13 7:28 ` vects 0 siblings, 1 reply; 6+ messages in thread From: Leonardo Rodrigues Magalhães @ 2007-02-11 18:42 UTC (permalink / raw) To: netfilter vects escreveu: > On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote: > >> Never used l7 for doing that kind of filtering, dont know if it's >> possible. >> >> Anyway, if you need some hard filtering based on URLs, both http and >> https, i would recommend that you use an http/https proxy, just like >> squid, for doing that. >> >> Completly block https (TCP/443) traffic with iptables and get your >> clients for use an http/https proxy and does the filtering there. I'm >> pretty convinced it will be easier and you'll have a lot more >> flexibility on the rules. Squid's ACLs are pretty flexible, you should >> give it a try. >> > Does it work in transparent mode ( I mean for https)? > I just can't tell all clients to use squid by phone, https filtering > must be hidden for them. As I know the latest squid supports totally > transparent mode, is that working for https also? > httpS simply cant be treated in completly transparent modes, because that would be detected as a 'man-in-the-middle' attack by the browser and would break the end-to-end criptography that SSL/TLS uses. http can be completly transparent, but https cannot. Anyway, if you search the archives, you'll find that it's a common opinion that iptables it not the right place, even with layer7 patches, to do complex layer7 filtering. It can even do some application filtering, but it's not supposed for replacing application proxy tools, just like squid for http/https. Complex rules can be applied in an easier and more flexible way in the application layer, with an appropriate application proxy. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny 2007-02-11 18:42 ` Leonardo Rodrigues Magalhães @ 2007-02-13 7:28 ` vects 2007-02-13 7:58 ` Frank Petran 0 siblings, 1 reply; 6+ messages in thread From: vects @ 2007-02-13 7:28 UTC (permalink / raw) To: Leonardo Rodrigues Magalhães; +Cc: netfilter On Sun, 2007-02-11 at 15:42 -0300, Leonardo Rodrigues Magalhães wrote: > > vects escreveu: > > On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote: > > > >> Never used l7 for doing that kind of filtering, dont know if it's > >> possible. > >> > >> Anyway, if you need some hard filtering based on URLs, both http and > >> https, i would recommend that you use an http/https proxy, just like > >> squid, for doing that. > >> > >> Completly block https (TCP/443) traffic with iptables and get your > >> clients for use an http/https proxy and does the filtering there. I'm > >> pretty convinced it will be easier and you'll have a lot more > >> flexibility on the rules. Squid's ACLs are pretty flexible, you should > >> give it a try. > >> > > Does it work in transparent mode ( I mean for https)? > > I just can't tell all clients to use squid by phone, https filtering > > must be hidden for them. As I know the latest squid supports totally > > transparent mode, is that working for https also? > > > > httpS simply cant be treated in completly transparent modes, because > that would be detected as a 'man-in-the-middle' attack by the browser > and would break the end-to-end criptography that SSL/TLS uses. agree. > > http can be completly transparent, but https cannot. I have to find some other solution for my task, sounds like iptables with l7 is the one for me. Does somebody know another list I can ask for help? > > Anyway, if you search the archives, you'll find that it's a common > opinion that iptables it not the right place, even with layer7 patches, > to do complex layer7 filtering. It can even do some application > filtering, but it's not supposed for replacing application proxy tools, > just like squid for http/https. Complex rules can be applied in an > easier and more flexible way in the application layer, with an > appropriate application proxy. As I said I have some condition, I can't contact customers and ask them to define proxy server, this prevents me to use application proxy for https. Thanks, Alexc ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny 2007-02-13 7:28 ` vects @ 2007-02-13 7:58 ` Frank Petran 0 siblings, 0 replies; 6+ messages in thread From: Frank Petran @ 2007-02-13 7:58 UTC (permalink / raw) To: netfilter On Tuesday 13 February 2007 08:28, vects wrote: > As I said I have some condition, I can't contact customers and ask them > to define proxy server, this prevents me to use application proxy for > https. Why don't you just setup an automatic proxy configuration? All, the customer needs to do than, is to select "automatic proxy discovery" in his/her Browser. The Internet Explorer, which most people tend to use anyway, already has this preconfigured. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-02-13 7:58 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-02-11 16:21 https permit/deny vects 2007-02-11 17:45 ` Leonardo Rodrigues Magalhães 2007-02-11 16:55 ` vects 2007-02-11 18:42 ` Leonardo Rodrigues Magalhães 2007-02-13 7:28 ` vects 2007-02-13 7:58 ` Frank Petran
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.