* https permit/deny
@ 2007-02-11 16:21 vects
2007-02-11 17:45 ` Leonardo Rodrigues Magalhães
0 siblings, 1 reply; 6+ messages in thread
From: vects @ 2007-02-11 16:21 UTC (permalink / raw)
To: netfilter
Hi,
I'm looking for solution of the next problem, I have to enable/disable
an access to list of https web servers, I don't know in advance IPs of
them, permit rule must be based of the url user typed in location bar.
Is possible to do that by iptables and extentions?
I thought about l7 filter.
Any help/hints will be appreciated very much.
Thanks, Alexc.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny
2007-02-11 17:45 ` Leonardo Rodrigues Magalhães
@ 2007-02-11 16:55 ` vects
2007-02-11 18:42 ` Leonardo Rodrigues Magalhães
0 siblings, 1 reply; 6+ messages in thread
From: vects @ 2007-02-11 16:55 UTC (permalink / raw)
To: Leonardo Rodrigues Magalhães; +Cc: netfilter
On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote:
> Never used l7 for doing that kind of filtering, dont know if it's
> possible.
>
> Anyway, if you need some hard filtering based on URLs, both http and
> https, i would recommend that you use an http/https proxy, just like
> squid, for doing that.
>
> Completly block https (TCP/443) traffic with iptables and get your
> clients for use an http/https proxy and does the filtering there. I'm
> pretty convinced it will be easier and you'll have a lot more
> flexibility on the rules. Squid's ACLs are pretty flexible, you should
> give it a try.
Does it work in transparent mode ( I mean for https)?
I just can't tell all clients to use squid by phone, https filtering
must be hidden for them. As I know the latest squid supports totally
transparent mode, is that working for https also?
Thanks, Alexc.
>
>
> vects escreveu:
> > Hi,
> >
> > I'm looking for solution of the next problem, I have to enable/disable
> > an access to list of https web servers, I don't know in advance IPs of
> > them, permit rule must be based of the url user typed in location bar.
> >
> > Is possible to do that by iptables and extentions?
> > I thought about l7 filter.
> >
> >
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny
2007-02-11 16:21 https permit/deny vects
@ 2007-02-11 17:45 ` Leonardo Rodrigues Magalhães
2007-02-11 16:55 ` vects
0 siblings, 1 reply; 6+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2007-02-11 17:45 UTC (permalink / raw)
To: vects; +Cc: netfilter
Never used l7 for doing that kind of filtering, dont know if it's
possible.
Anyway, if you need some hard filtering based on URLs, both http and
https, i would recommend that you use an http/https proxy, just like
squid, for doing that.
Completly block https (TCP/443) traffic with iptables and get your
clients for use an http/https proxy and does the filtering there. I'm
pretty convinced it will be easier and you'll have a lot more
flexibility on the rules. Squid's ACLs are pretty flexible, you should
give it a try.
vects escreveu:
> Hi,
>
> I'm looking for solution of the next problem, I have to enable/disable
> an access to list of https web servers, I don't know in advance IPs of
> them, permit rule must be based of the url user typed in location bar.
>
> Is possible to do that by iptables and extentions?
> I thought about l7 filter.
>
>
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny
2007-02-11 16:55 ` vects
@ 2007-02-11 18:42 ` Leonardo Rodrigues Magalhães
2007-02-13 7:28 ` vects
0 siblings, 1 reply; 6+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2007-02-11 18:42 UTC (permalink / raw)
To: netfilter
vects escreveu:
> On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote:
>
>> Never used l7 for doing that kind of filtering, dont know if it's
>> possible.
>>
>> Anyway, if you need some hard filtering based on URLs, both http and
>> https, i would recommend that you use an http/https proxy, just like
>> squid, for doing that.
>>
>> Completly block https (TCP/443) traffic with iptables and get your
>> clients for use an http/https proxy and does the filtering there. I'm
>> pretty convinced it will be easier and you'll have a lot more
>> flexibility on the rules. Squid's ACLs are pretty flexible, you should
>> give it a try.
>>
> Does it work in transparent mode ( I mean for https)?
> I just can't tell all clients to use squid by phone, https filtering
> must be hidden for them. As I know the latest squid supports totally
> transparent mode, is that working for https also?
>
httpS simply cant be treated in completly transparent modes, because
that would be detected as a 'man-in-the-middle' attack by the browser
and would break the end-to-end criptography that SSL/TLS uses.
http can be completly transparent, but https cannot.
Anyway, if you search the archives, you'll find that it's a common
opinion that iptables it not the right place, even with layer7 patches,
to do complex layer7 filtering. It can even do some application
filtering, but it's not supposed for replacing application proxy tools,
just like squid for http/https. Complex rules can be applied in an
easier and more flexible way in the application layer, with an
appropriate application proxy.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny
2007-02-11 18:42 ` Leonardo Rodrigues Magalhães
@ 2007-02-13 7:28 ` vects
2007-02-13 7:58 ` Frank Petran
0 siblings, 1 reply; 6+ messages in thread
From: vects @ 2007-02-13 7:28 UTC (permalink / raw)
To: Leonardo Rodrigues Magalhães; +Cc: netfilter
On Sun, 2007-02-11 at 15:42 -0300, Leonardo Rodrigues Magalhães wrote:
>
> vects escreveu:
> > On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote:
> >
> >> Never used l7 for doing that kind of filtering, dont know if it's
> >> possible.
> >>
> >> Anyway, if you need some hard filtering based on URLs, both http and
> >> https, i would recommend that you use an http/https proxy, just like
> >> squid, for doing that.
> >>
> >> Completly block https (TCP/443) traffic with iptables and get your
> >> clients for use an http/https proxy and does the filtering there. I'm
> >> pretty convinced it will be easier and you'll have a lot more
> >> flexibility on the rules. Squid's ACLs are pretty flexible, you should
> >> give it a try.
> >>
> > Does it work in transparent mode ( I mean for https)?
> > I just can't tell all clients to use squid by phone, https filtering
> > must be hidden for them. As I know the latest squid supports totally
> > transparent mode, is that working for https also?
> >
>
> httpS simply cant be treated in completly transparent modes, because
> that would be detected as a 'man-in-the-middle' attack by the browser
> and would break the end-to-end criptography that SSL/TLS uses.
agree.
>
> http can be completly transparent, but https cannot.
I have to find some other solution for my task, sounds like iptables
with l7 is the one for me.
Does somebody know another list I can ask for help?
>
> Anyway, if you search the archives, you'll find that it's a common
> opinion that iptables it not the right place, even with layer7 patches,
> to do complex layer7 filtering. It can even do some application
> filtering, but it's not supposed for replacing application proxy tools,
> just like squid for http/https. Complex rules can be applied in an
> easier and more flexible way in the application layer, with an
> appropriate application proxy.
As I said I have some condition, I can't contact customers and ask them
to define proxy server, this prevents me to use application proxy for
https.
Thanks, Alexc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: https permit/deny
2007-02-13 7:28 ` vects
@ 2007-02-13 7:58 ` Frank Petran
0 siblings, 0 replies; 6+ messages in thread
From: Frank Petran @ 2007-02-13 7:58 UTC (permalink / raw)
To: netfilter
On Tuesday 13 February 2007 08:28, vects wrote:
> As I said I have some condition, I can't contact customers and ask them
> to define proxy server, this prevents me to use application proxy for
> https.
Why don't you just setup an automatic proxy configuration? All, the customer
needs to do than, is to select "automatic proxy discovery" in his/her
Browser. The Internet Explorer, which most people tend to use anyway, already
has this preconfigured.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-02-13 7:58 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-02-11 16:21 https permit/deny vects
2007-02-11 17:45 ` Leonardo Rodrigues Magalhães
2007-02-11 16:55 ` vects
2007-02-11 18:42 ` Leonardo Rodrigues Magalhães
2007-02-13 7:28 ` vects
2007-02-13 7:58 ` Frank Petran
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.