[squid-users] reverse-proxy with client certificates pass-thru

[Jason Haar]

On 17/02/15 11:34, Amos Jeffries wrote:
> There is splice mode in 3.5. Which is to say "dont bump that traffic".

If you have a reverse-proxy between a client and backend server and the
backend server insists on seeing the client cert, then I think at best
squid is simply a tcp forwarder (ie splice mode). It could be easier to
put a xinetd-based forwarder in place or even to publish the backend
onto the Internet directly. Basically squid can add nothing

We're going through the same process with Microsoft's SCCM server. The
agents use client certs, but we're hoping we can disable the requirement
for client certs on the backend and get the DMZ "security portal" to do
that check itself (as we trust patching our "security portal" more than
patching Microsoft apps). However, that probably won't work and then we
too will be basically doing a tcp forward...

In all fairness, any HTTPS web server that is kept patched, and which
requires validating client certs before even getting to the home page is
an extremely hard target to hack. Irrespective of the security quality
of the web application itself, if the bad guys can't actually interact
with the web app (because they have no client cert), then their options
are extremely limited

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1