[dns-operations] need recommendation for filtering outbound HTTPS
Rubens Kuhl
rubensk at nic.br
Sun May 12 07:51:04 UTC 2019
I would try ATS before resorting to Squid:
https://trafficserver.apache.org/ <https://trafficserver.apache.org/>
While I don't know if it actually works for your use case, I always found that codebase to be much cleaner than Squid.
Rubens
> On 12 May 2019, at 14:10, Paul Vixie <paul at redbarn.org> wrote:
>
> i see that squid is not the only forward proxy available for HTTPS now. for
> example:
>
> https://superuser.com/questions/604352/nginx-as-forward-proxy-for-https
>
> is this the state of the art? to prevent DoH bypasses to the DNS monitoring
> and policy controls (see https://dnstap.info/ and https://dnsrpz.info/) i use
> on my private networks, i'm going to have to strip-search all outbound HTTPS
> that goes toward any wide-area IP address known or suspected to offer DoH, and
> i'm going to have to return 404 for any URI that matches a known DoH endpoint.
>
> under TLS 1.3, with excrypted SID, none of the old transparent MiTM methods
> will work any more. it's going to have to be an explicit proxy, which every
> HTTPS speaker inside my network will have to import and trust a certificate
> for.
>
> while i'd be happy to learn of commercial/proprietary solutions, which i'd use
> on $dayjob's corporate network, and would blog about, i also need to know how
> the F/L/OSS community is solving this kind of problem today. hopefully it's
> not squid, but does it really require that i run a patched version of nginx?
>
> --
> Paul
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190512/1192b302/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190512/1192b302/attachment.sig>
More information about the dns-operations
mailing list