Update: SQUID transparent SSL interception : Squid v3.2

In order to keep this blog post a bit more relevant, there have been some improvements since that post was written. Squid v3.2 has been released earlier this year, making ssl interception more seamless and easier. The new features for HTTPS interception can be found while reading through the man page for http_port: http://www.squid-cache.org/Versions/v3/3.2/cfgman/http_port.html More specifically: … Continue reading Update: SQUID transparent SSL interception : Squid v3.2

Preserving client IP w/ apache reverse proxy

We recently had a scenario where an apache reverse proxy needed to be deployed in front of a pair of tomcat servers. Due to security concerns, this reverse proxy was hosting mod_security and acting as a web application firewall (WAF) However, a critical requirement was that the tomcat applications would be able to see the … Continue reading Preserving client IP w/ apache reverse proxy

Dansguardian : lessons learned

To dis-allow users from connecting to a site via IP rather than URL name (so bypassing filtering unless you use the time consuming forward / reverse lookup feature), uncomment the following line in the bannedsitelist: *ip To enable syslog, the default dansguardian.conf uses: # Syslog logging # # Use syslog for access logging instead of … Continue reading Dansguardian : lessons learned

Tips and Tricks : Fiddler

When troubleshooting website issue (such as parts of the website not loading, infinite redirect loops, and so on) the web debugger tools Fiddler2 comes in handy. This is especially so when troubleshooting HTTPS issues. Wireshark is a bit difficult to use when troubleshooting encrypted sessions because unless you are given the private keys from the … Continue reading Tips and Tricks : Fiddler

SQUID transparent SSL interception

July 2012: Small update on new versions of squid (squid v 3.2) here There seems to be a bit of confusion about configuring SQUID to transparently intercept SSL (read: HTTPS) connections. Some sites say it’s plain not possible: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 Recent development in SQUID features have made this possible. This article explores how to set this up … Continue reading SQUID transparent SSL interception

User based access control for Skype

I recently wrote an article for Bluecoat describing how to limit Skype access based on usernames and passwords. The article is available here. This got me wondering if I can achieve the same functionality that the Bluecoat ProxySG offers but using open source programs. In short…. yes we can with a little tinkering. For those … Continue reading User based access control for Skype