[dns-operations] need recommendation for filtering outbound HTTPS

Rubens Kuhl rubensk at nic.br
Sun May 12 07:51:04 UTC 2019


I would try ATS before resorting to Squid:
https://trafficserver.apache.org/ <https://trafficserver.apache.org/>

While I don't know if it actually works for your use case, I always found that codebase to be much cleaner than Squid.


Rubens



> On 12 May 2019, at 14:10, Paul Vixie <paul at redbarn.org> wrote:
> 
> i see that squid is not the only forward proxy available for HTTPS now. for
> example:
> 
> https://superuser.com/questions/604352/nginx-as-forward-proxy-for-https
> 
> is this the state of the art? to prevent DoH bypasses to the DNS monitoring
> and policy controls (see https://dnstap.info/ and https://dnsrpz.info/) i use
> on my private networks, i'm going to have to strip-search all outbound HTTPS
> that goes toward any wide-area IP address known or suspected to offer DoH, and
> i'm going to have to return 404 for any URI that matches a known DoH endpoint.
> 
> under TLS 1.3, with excrypted SID, none of the old transparent MiTM methods
> will work any more. it's going to have to be an explicit proxy, which every
> HTTPS speaker inside my network will have to import and trust a certificate
> for.
> 
> while i'd be happy to learn of commercial/proprietary solutions, which i'd use
> on $dayjob's corporate network, and would blog about, i also need to know how
> the F/L/OSS community is solving this kind of problem today. hopefully it's
> not squid, but does it really require that i run a patched version of nginx?
> 
> --
> Paul
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190512/1192b302/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190512/1192b302/attachment.sig>


More information about the dns-operations mailing list