[squid-users] Proxy chain question

Amos Jeffries squid3 at treenet.co.nz
Fri May 22 03:18:30 UTC 2015


On 22/05/2015 4:58 a.m., Lucas van Braam van Vloten wrote:
> Hello list,
> 
> In my network I have a Microsoft TMG proxy server for http(s) access to
> internet.
> This TMG server also serves as a reverse proxy to channel incoming
> traffic to a Squid reverse proxy in the internal network (yes, two
> reverse proxies in a line)

Any particular reason? It may prevent Squid being able to do what you want.

> 
> This Squid server is currently configured as a reverse proxy to allow
> traffic from internet to a number of webservices that run on an internal
> server.
> 
> Now I want to add a function to the squid server, in addition to the
> existing function. It should serve as a proxy to allow a client on the
> internal network to access a web servoce on internet.
> So, put simply, the traffic goes like this:
> Internal client -> Squid Proxy -> TMG proxy -> internet webservice

>From that diagram I'm a little doubtful that reverse-proxy is the right
way to do it here. Proxy at the client end of the connectivity are
usually forward- or interceptor- proxy.


> 
> The reason to use this configuration is because the internet webservice
> requires a client certificate for authentication, and TMG is not able to
> handle this.

Squid will not be able to handle this either unless it is directly
connecting to that service without the TMG in the way.

Because TLS is point-to-point security protocol, any proxy agent in the
middle must terminate the clients TLS and start its own server
connection for the next hop. Squid does not (yet) support sending
CONNECT over a peer proxy to bypass the TMG.

So in your current setup Squid sending the client cert will be sending
it to to authenticate with the *TMG* - not the web service.


> So now I am trying to configure this on my Squid server. I wish to make
> my configuration as restrictive as possible. But I am new to the Squid
> configuration, and I could use some help.
> 
> So basically, I want the following:
> 1. The client makes a http connection to my Squid proxy
> 2. The Squid proxy initiates the client certificate authenticated
> connection to the internet webservice
> 3. The connection from the Squid proxy to Internet uses the TMG proxy.
> 
> I do not wish to use any form of caching on my Squid server.
> 
> I considered using a configuration similar to my reverse proxy
> configuration, using the following structure:
> (this configuration works)
> 
> =====================
> 
> # Designate a port and SSL config for this specific webservice
> # Local server IP is 192.168.0.1, traffic comes in through the TMG
> https_port 192.168.0.1:1443 accel
> defaultsite=webservice.exposed.address.com vhost <SSL stuff>
> 
> # enforce use of https
> acl webapp_SITES dstdomain webservice.exposed.address.com
> http_access deny HTTP webapp_SITES
> http_access allow webapp_SITES
> 
> # Configure the reverse proxy for clients that connect to the external
> (exposed) address
> acl webapp_URL url_regex ^https://webservice.exposed.address.com
> cache_peer internal.server.lan parent 8080 0 no-query no-digest
> originserver login=PASS name=webservice_APP
> cache_peer_access webservice_APP allow webapp_URL
> cache_peer_access webservice_APP deny all
> 
> =====================
> 
> So if I use this for my new purpose, I assume that the cache_peer would
> be the internet webservice address, and I could use the sslcert option
> to make it use the client certificate. Something like this:
> 
> =====================
> 
> http_port 192.168.0.1:8080 accel defaultsite=squid.server.lan vhost
> acl webapp_URL url_regex ^http://squid.server.lan
> cache_peer webservice.somewhere.on.internet.com parent 8443 0 no-query
> no-digest originserver sslkey=/path/to/ssl/key name=webservice_APP
> cache_peer_access webservice_APP allow webapp_URL
> cache_peer_access webservice_APP deny all
> 
> =====================

That is the correct way to do it outbound from Squid. But the catch as
mentioned above is where the TLS link gets terminated (the TMG or the
web service).

Since the TMG is a reverse-proxy the DNS records for the cache_peer
domain name points at the TMG instead of the Internet service. You have
to have the cache_peer directly going to the server which uses/requires
the client certificate. Which means using IP or if available the
services own host name to avoid the TMG.

Which cycles back to that first question I had at the top about why the
TMG exists at all. You may or may not be able to do this without a full
topology redesign.

Amos


More information about the squid-users mailing list