+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 22 of 22
Internet Related/Filtering/Firewall Thread, LGFL synetrix web filtering in Technical; Those of you running local content filters - I'm interested to know how this works for SSL/TLS traffic. I assume ...
  1. #16
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    Those of you running local content filters - I'm interested to know how this works for SSL/TLS traffic. I assume you are configuring browsers to connect to local proxy servers and the traffic is then sent on to the upstream proxy at Synetrix. If this is the case, are you still able to take advantage of the content filters at Synetrix to block the really nasty sites that operate over SSL/TLS? My understanding is that this is problematic since in this configuration, the Synetrix content filters are effectively 'transparent proxies' and it's not possible to transparent proxy SSL/TLS due to chain of trust issues (unless running as man-in-the-middle).

    Thanks..

  2. #17
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    24
    We have made the decision to block all SSL traffic with squid. We have an exceptions list on the Squid ACL that lets us allow exam pages like Edexcel and the few others that need to ba accesses. When you think about it there are very few pages that people actually need that are SSL...

    I cant say for sure, having never tested it, but having set up the synetrix proxy as a cache that squid forwards all traffic to I am under the impression that it works exactly the same way as if the traffic went directly there.

  3. #18


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    @aj - a local content filter is not going to let synetrix "see" inside an ssl transaction - as it will re-encrypt (or just look at host headers). You'll either need quality local filters OR go whitelist as tyiell has.

  4. #19
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    Thanks Tom, that's exactly what I thought. I was hoping to get confirmation from someone who has been there and done it. The only doubt I had was that I was unsure if a local proxy was able to link to an upstream proxy. I'm still not 100% clear on how SSL traffic is proxied unless the proxy just acts as some kind of router, passing packets between the client and server. Do you know of any good explanations on the net?

    Just found this (Tunneling SSL Through a WWW Proxy) which seems to explain it. I cannot see any reason in principle why there could not be a chain of proxies, each one sends the CONNECT message on to the next in order to prepare for the connection. Once all proxies are 'alerted', then the client can set up the TLS connection and all the proxies would presumably just pass it through. Indeed, the line

    This specification applies also to proxy servers talking to other proxy servers. As an example, double firewalls make this necessary. In this case, the inner proxy is simply considered a client with respect to the outer proxy.
    suggests that this would work. This would mean that the filtering could be applied at each proxy. Any reason why this would not work?
    Last edited by ajbritton; 30th April 2010 at 06:53 AM.

  5. #20


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Andy,

    You're correct about how simple proxies can "see" HTTPS domains using the parameter to CONNECT.
    If you were using an upstream p[roxy it would also be able to see this, but only if that upstrem proxy was also a "traditional" proxy. If your existing proxy (which you intend to make your upstream proxy) is transparent, then the new proxy will not have an upstream proxy set, but will be requesting pages through the transparent upstream proxy, which *still* won't see the HTTPS domain.

    To rephrase: If you have a proxy which isn't presently seeing the domain, then no amount of downstream proxying will help (in the general case).

    Edge case: You may be able to use a transparent intercepting HTTPS proxy to achieve this. The only proxy of this type I am aware of is in our development lab

    Edit: Feel free to call me if you want to discuss this further - maybe I am misunderstanding what you need and are trying to achieve. Happy to talk "non SmoothWall" proxy stuff, as I am sure others will testify

  6. Thanks to tom_newton from:

    ajbritton (30th April 2010)

  7. #21
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    Many thanks Tom. To be honest, there is no particular problem I'm trying to solve other than just trying to understand what is and isn't possible. I'll PM you with more details rather than hijack this thread any more.

  8. #22
    pap
    pap is offline
    pap's Avatar
    Join Date
    Feb 2010
    Location
    London
    Posts
    7
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0

    dull and non tech note

    as said previously on this thread you can filter by IP address where PCs are identified for staff use only.
    You can also alter filtering by time slot, if you want to allow access during a training day for example.
    If you move to full use of LGfL USO (which does not have a cost) an additional service (which does have a cost) is per user level filtering, but i know, because i have one school working on this, that it is not fully developed yet. I use this solution for the filtering on the laptops for looked after children, and i am able to have 6 different profiles.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Synetrix filtering
    By vsnider in forum London Grid for Learning (LGfL)
    Replies: 13
    Last Post: 23rd October 2009, 01:11 PM
  2. LGFL Web Editor and Technical Support Consultant
    By Face-Man in forum Educational IT Jobs
    Replies: 0
    Last Post: 17th December 2008, 10:14 AM
  3. Web filtering
    By Dafty in forum Windows
    Replies: 4
    Last Post: 23rd May 2008, 08:29 AM
  4. Web Filtering
    By ltunstall in forum Network and Classroom Management
    Replies: 7
    Last Post: 14th April 2008, 06:08 PM
  5. Web Filtering
    By pooley in forum Windows
    Replies: 38
    Last Post: 1st April 2006, 12:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •