[dns-operations] need recommendation for filtering outbound HTTPS
Paul Vixie
paul at redbarn.org
Mon May 13 00:36:32 UTC 2019
On Sunday, 12 May 2019 16:26:05 UTC Grant Taylor wrote:
> On 5/12/19 1:10 AM, Paul Vixie wrote:
> > i see that squid is not the only forward proxy available for HTTPS
> > now. for example:
> >
> > https://superuser.com/questions/604352/nginx-as-forward-proxy-for-https
>
> I don't see any discussion of certificates for Nginx's forward proxy
> CONNECT support. This makes me think that it's not functioning as an
> SSL / TLS bump in the wire like Squid can.
to be clear, if there's a CONNECT verb, it's not bump-in-the-wire.
also, in TLS 1.3 w/ encrypted SNI, the only way to do bump-in-the-wire is to
force a downgrade to TLS 1.2. this is what i expect "next-gen firewalls" and
the chinese "great firewall" to do. clients or servers who won't tolerate the
downgrade will fail, but that will be seen by some network operators as the
lesser cost (compared to allowing DoH through.)
i don't want to proxy everything. but the https proxy protocol, and socks, do
not have a way to tell the initiator, "you don't need me for this connection,
just try again without a proxy". and TLS 1.3 w/ ESNI makes it impossible to be
selective in what the forward proxy decrypts, it has to be everything.
our alternatives and their costs have been carefully managed for us here.
--
Paul
More information about the dns-operations
mailing list