cannot access gmail when bypassing proxy server (sometimes not always !!!!????)
-
@IT-ADMIN said:
do you thing that it is better to install squid guard ??
Possibly. I've not used it. I used an alternative to it last that I used Squid.
-
do you agree with me that : this problem happen because https traffic cannot be established if any proxy server in the middle unless you inform the browser that he should use a proxy otherwise he think that the proxy behave as man in the middle ??
but what i can't never understand is that happen sometimes, i cannot guess any cause for this madness,
-
No. Normally HTTPS is just ignored.
-
sorry, what do you mean by the last post : "No. Normally HTTPS is just ignored" , can you explain please
-
Typically proxies are configured for HTTPS traffic to just bypass the proxy. It's not normal to use the proxy for that, only for HTTP.
-
For pure proxy (using local cache to offload WAN bandwidth constraints), HTTPS isn't usually proxied. In theory, it's session-specific, so caching it would be a waste of resources, and only serve to slow the user's experience down.
For filtering, I typically use a device or service that provides transparent HTTPS inspection. Personally, I've had good luck with Sopohos UTM and the late Forefront TMG. Squid by design isn't a filter, and they say as such. They then go on to mention that if you want to use it as a filter anyway, use SquidGuard. I guess the question is: What are you looking to achieve by using the proxy?
-
@Nara right, i'm looking only for blocking some website like facebook and youtube for some users and allow them to some other users too, i'm not interested in caching, i want just to block or allow some website, but i didn't find any package to hundle this except the package called proxy server
-
A proxy is th right tool for that job but if you are not proxying HTTPS connections people won't even realize that they are blocked. They can just switch protocols and bypass the proxy. As all those sites offer HTTPS. If you block HTTPS then you have other issues.
But to use a proxy well, everyone should go through it, not just some people. The proxy should decide who gets what access.
-
yes, but the proxy server can block also https if and only if the browser is aware of the proxy server, and if the browser not using any proxy server the https traffic will pass through the proxy but the proxy will be unable to do anything with it,
-
@IT-ADMIN said:
yes, but the proxy server can block also https if and only if the browser is aware of the proxy server, and if the browser not using any proxy server the https traffic will pass through the proxy but the proxy will be unable to do anything with it,
In the way that you have set it up, yes. That need not be the case. There are many ways to architect the proxy server.
-
I've not done this in a very long time. But HTTPS setup is the correct answer to push everything through the proxy. Otherwise you need to move the proxy out of the packet path so that the bypassing clients can fully bypass it.
http://www.howtoforge.com/filtering-https-traffic-with-squid
-
i think it is time to try sophos UTM, because really this temporarily nature of this problem broke my trust toward pfSense, and what annoy me more i cannot find any explanation for this problem,
because the problem itself is not annoying but when you can't figure out the cause of the problem, that time you hate yourself. hhhh -
and this what lower my self confidence sometimes when i cannot find a cause for an IT problem, or a solution for it, since i don't have strong IT experience this take it toll on me
-
Using Squid proxy is definitely a more advanced UNIX task.
For your light need, have you considered something more simple like using hosts files? Really simple to maintain.
-
but if use only host file, sure there will be some users who will manage to access those blocked website, i think it is not a reliable solution, isn't it???
-
@IT-ADMIN said:
but if use only host file, sure there will be some users who will manage to access those blocked website, i think it is not a reliable solution, isn't it???
Can't the work around by using HTTPS now?
-
It's easier to work around all this than it is to not because you can make an external hairpin to bypass pretty much any proxy. Even billion dollar international firms can't really get around that easily.
-
I used to use Squid, but now use Trend Micro Worry-Free Business Security installed on all my clients. This handles antivirus and web protection, and the GUI makes it very easy to block specific websites or categories of websites. I haven't implemented any Active Directory integration, which is limiting, but I'm not sure how easy that is with Squid either?
I'm also trialling GFI Webmonitor, which offers a similar service but is cloud based, and therefore easier to manage our home workers.
But I used to like the Squid logs for investigating what users were up to at any given point in time. Neither Trend or GFI provides that functionality. So I may go back to Squid.
-
what about this temporarily nature of this problem, anyone can guess with me how this occur only sometimes ????!!!!!
-
can this have any explanation ?????