Re: filtering HTTPS

From: Henrik Nordström <henrik_at_henriknordstrom.net>
Date: Wed, 14 Mar 2012 01:25:33 +0100

tis 2012-03-13 klockan 19:27 -0300 skrev Marcus Kool:
> > Squid is not the tool for filtering non-http(s) traffic beyond requested
> > hostname.
>
> I agree. Squid is not. This task is for the URL rewritors and ICAP servers.
> One way or another, Squid should offer all data that passes through it (1)
> to a filter. I like ICAP, but ICAP is designed for HTTP and not HTTPS
> and certainly not for non-HTTP, non-HTTPS data streams.

non-HTTP traffic do not fit URLs or ICAP either. How would you map an
SSH session?

> A filter pipe is interesting. A question is on how to implement it.
> ICAP has no support for it and in my opinion ICAP should be extended
> to support this. I know it is a long way to extend existing protocols
> but maybe it works by just doing it and making it a de facto standard.

ICAP is designed for HTTP and is very message at a time oriented,
separating request & response seeing them as separate entities.

For HTTP(s) it does support piped operation where the request & response
is being filtered as it's being forwarded. It's only a matter of the
ICAP Server starting it's response before the whole request/response
have been seen.

But I do not think ICAP is suitable for general data stream
filtering/adaptation. The protocol is simply not designed for it. In a
data stream filter/adaptation you want to operate on the bidirectional
datastream as a whole.

Regards
Henrik
Received on Wed Mar 14 2012 - 00:25:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 14 2012 - 12:00:07 MDT