[squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

Anton Radkevich anton at radkevich.info
Wed Feb 4 09:05:20 UTC 2015


Guys,

I just need an HTTPS proxy that can handle both http and https connections
for authorised clients only. I tried to configure something like it's
described here
http://www.mail-archive.com/squid-users@squid-cache.org/msg93592.html
Forward HTTPs proxy with digest_pw_auth for example.

But I am getting the same error clientNegotiateSSL: Error negotiating SSL
connection on FD 6: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http
request (1/-1) if I try to open a website (http or https) with proxy
enabled on browser settings: protocol https, server proxy-squid.com, port
3129, test:test (user/password)

If I understood correctly from our communication its not possible to
configure squid like it described above. Or ther

browser(proxy settings: protocol - https, server -proxy-squid.com, port
-3129, test:test (user/password)) <------> Squid Server (https_port 3129
with certificate)<--------HTTP or HTTPS connection-------> Destination

Description of the connection flow:
1. a client set proxy settings of his browser settings: https, server:port,
user:password
2. a clients credentials were verified by squid server,  browser asks the
proxy to establish a virtual tunnel between itself and remote server
3. when a client enter https://example.com or http://example.com then
browser sends encrypted data through the squid proxy

Is it possible?

Thanks,
Anton

2015-02-04 6:03 GMT+03:00 Amos Jeffries <squid3 at treenet.co.nz>:

> On 4/02/2015 9:20 a.m., Anton Radkevich wrote:
> > Yuri,
> >
> > I'd like to allow or deny access for a client before establishing of
> > encrypted channel to proxy server using an authentication method of squid
> > proxy.
>
>
> I think you and Yuri are talking past each other on this.
>
> This page has what you want to know
> <http://wiki.squid-cache.org/Features/HTTPS>. Yuri was talking about
> section-2 connections, but I read your query as being closer to
> section-4 connections.
>
>
> > Can I setup any authentication method for https forward proxy? If yes, is
> > it possible to use more secure hash algorithms than old md5?
>
> Squid does Basic, Digest, NTLM, Negotiate, and (with a patch) Bearer.
>
> Its not clear what you mean about MD5. Do you have a specific auth
> helper like NCSA storing passwords using that hash?
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150204/a10499b3/attachment.html>


More information about the squid-users mailing list