My head hurts ...
OK, let's see if we can sort this out:
There is one point I would like to clarify asap: unless all HTTPS flow is denied ...
But of course we aren't trying to block all HTTPS trafffic. Just some. What I'm saying is that Squid, it appears, can't discriminate about HTTPS traffic in the same way it can for HTTP traffic. I can block some HTTP traffic without having to block all HTTP traffic. So far, it seems HTTPS traffic cannot be handled in the same way using Zentyal. But maybe I'm just badly confused ...
However, if the
real point here is that we shouldn't be using a transparent proxy in the first place, we have other issues to hash out that are outside the scope of this topic. For to me, that brings us squarely back to the idea that Zentyal needs to find a home in a VDI world--where I might reasonably do away with transparent proxies for device-independent virtual desktops.
I will elaborate on this later (I definitely hardly write short posts )but I do want first to clarify the misunderstanding about Squid not handling HTTPS, reason why filtering must be done in FW. This is not correct.
Again, what it seems that Squid cannot do is discriminate
this HTTPS traffic from
that HTTPS traffic. I'm not saying I know that for a fact, but I'm saying that I have yet to see clearly how I can parallel Zentyal's HTTP site blocking capability for HTTPS traffic. Maybe I'm just dumber than a stump?
1 - HTTP PROXY module is deployed to handle and potentially filter HTTP and HTTPS protocols. Why, if there is no technical constraint, would you authorize to by-pass it for HTTPS?
Because I don't seem to be able to block
some HTTPS traffic. Out of the box, Zentyal simply blocks
all HTTPS traffic when using a transparent proxy.
2 - having to control HTTP(S) flow using 2 different interfaces (proxy and fw) whenever it's HTTP or HTTPS is a bit confusing isn't it?
Well, at this point I'm more confused by where we're headed here than I am by Zentyal, but I'm not giving up.
3 - what if tomorrow Facebook moves to another IP? Will you adapt FW rule?
Well, why not? I am constantly editing the HTTP site rules (people legitimately need access to blocked sites, Zentyal delivers a false positive, etc.). So while the process is different, it all takes time, one way or another.
I you can do it, just try my way of achieving it and let me know...
I am dumber than a stump for sure, because I'm just not clear how even to try your way. I am really missing something here.