Internet Related/Filtering/Firewall Thread, LGFL synetrix web filtering in Technical; Those of you running local content filters - I'm interested to know how this works for SSL/TLS traffic. I assume ...
27th April 2010, 11:46 PM #16
Those of you running local content filters - I'm interested to know how this works for SSL/TLS traffic. I assume you are configuring browsers to connect to local proxy servers and the traffic is then sent on to the upstream proxy at Synetrix. If this is the case, are you still able to take advantage of the content filters at Synetrix to block the really nasty sites that operate over SSL/TLS? My understanding is that this is problematic since in this configuration, the Synetrix content filters are effectively 'transparent proxies' and it's not possible to transparent proxy SSL/TLS due to chain of trust issues (unless running as man-in-the-middle).
28th April 2010, 08:24 AM #17
We have made the decision to block all SSL traffic with squid. We have an exceptions list on the Squid ACL that lets us allow exam pages like Edexcel and the few others that need to ba accesses. When you think about it there are very few pages that people actually need that are SSL...
I cant say for sure, having never tested it, but having set up the synetrix proxy as a cache that squid forwards all traffic to I am under the impression that it works exactly the same way as if the traffic went directly there.
28th April 2010, 06:26 PM #18
@aj - a local content filter is not going to let synetrix "see" inside an ssl transaction - as it will re-encrypt (or just look at host headers). You'll either need quality local filters OR go whitelist as tyiell has.
29th April 2010, 09:56 PM #19
Thanks Tom, that's exactly what I thought. I was hoping to get confirmation from someone who has been there and done it. The only doubt I had was that I was unsure if a local proxy was able to link to an upstream proxy. I'm still not 100% clear on how SSL traffic is proxied unless the proxy just acts as some kind of router, passing packets between the client and server. Do you know of any good explanations on the net?
Just found this (Tunneling SSL Through a WWW Proxy) which seems to explain it. I cannot see any reason in principle why there could not be a chain of proxies, each one sends the CONNECT message on to the next in order to prepare for the connection. Once all proxies are 'alerted', then the client can set up the TLS connection and all the proxies would presumably just pass it through. Indeed, the line
suggests that this would work. This would mean that the filtering could be applied at each proxy. Any reason why this would not work?
This specification applies also to proxy servers talking to other proxy servers. As an example, double firewalls make this necessary. In this case, the inner proxy is simply considered a client with respect to the outer proxy.
Last edited by ajbritton; 30th April 2010 at 06:53 AM.
30th April 2010, 09:53 AM #20
You're correct about how simple proxies can "see" HTTPS domains using the parameter to CONNECT.
If you were using an upstream p[roxy it would also be able to see this, but only if that upstrem proxy was also a "traditional" proxy. If your existing proxy (which you intend to make your upstream proxy) is transparent, then the new proxy will not have an upstream proxy set, but will be requesting pages through the transparent upstream proxy, which *still* won't see the HTTPS domain.
To rephrase: If you have a proxy which isn't presently seeing the domain, then no amount of downstream proxying will help (in the general case).
Edge case: You may be able to use a transparent intercepting HTTPS proxy to achieve this. The only proxy of this type I am aware of is in our development lab
Edit: Feel free to call me if you want to discuss this further - maybe I am misunderstanding what you need and are trying to achieve. Happy to talk "non SmoothWall" proxy stuff, as I am sure others will testify
Thanks to tom_newton from:
ajbritton (30th April 2010)
30th April 2010, 09:36 PM #21
Many thanks Tom. To be honest, there is no particular problem I'm trying to solve other than just trying to understand what is and isn't possible. I'll PM you with more details rather than hijack this thread any more.
9th June 2010, 11:17 PM #22
- Rep Power
dull and non tech note
as said previously on this thread you can filter by IP address where PCs are identified for staff use only.
You can also alter filtering by time slot, if you want to allow access during a training day for example.
If you move to full use of LGfL USO (which does not have a cost) an additional service (which does have a cost) is per user level filtering, but i know, because i have one school working on this, that it is not fully developed yet. I use this solution for the filtering on the laptops for looked after children, and i am able to have 6 different profiles.
By vsnider in forum London Grid for Learning (LGfL)
Last Post: 23rd October 2009, 01:11 PM
By Face-Man in forum Educational IT Jobs
Last Post: 17th December 2008, 10:14 AM
By Dafty in forum Windows
Last Post: 23rd May 2008, 08:29 AM
By ltunstall in forum Network and Classroom Management
Last Post: 14th April 2008, 06:08 PM
By pooley in forum Windows
Last Post: 1st April 2006, 12:16 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)