[squid-users] Proxy chain question

Lucas van Braam van Vloten lucas2 at dds.nl
Fri May 22 13:49:38 UTC 2015


Hello,

Thanks for your reply.

> Any particular reason?
Unfortunately this double setup is not my choice, our architects
prescribe use of the TMG proxy as mandatory for all internet access from
the internal network. No exceptions.
> Since the TMG is a reverse-proxy (...)
This is true only for inbound traffic coming from internet; TMG acts as
a forward proxy for outbound traffic.

So the updated diagram for what I am trying to accomplish would be
something like this:

               http       https       https
Internal client ->  Squid  ->   TMG    -> internet webservice
                  (reverse    (forward    
                   proxy)      proxy)

> Squid will not be able to handle this either unless it is directly
connecting to that service without the TMG in the way.

I noticed that if I configure the Squid proxy as a forward proxy and the
TMG as its peer, I can initiate and authenticate a secure connection to
the internet web service from a browser in the local network (using the
squid proxy). Apparently the TMG is passed transparently and TLS is
terminated on the webservice. Intuitively I would assume that,
therefore, there should also be some way to initiate a https connection,
and handle the certificate authentication, from the squid server itself.

Considering the updated diagram, do you think this can be done in Squid?

Thanks,
Lucas




-----Original Message-----From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Proxy chain question
Date: Fri, 22 May 2015 15:18:30 +1200

On 22/05/2015 4:58 a.m., Lucas van Braam van Vloten wrote:
> Hello list,
> 
> In my network I have a Microsoft TMG proxy server for http(s) access to
> internet.
> This TMG server also serves as a reverse proxy to channel incoming
> traffic to a Squid reverse proxy in the internal network (yes, two
> reverse proxies in a line)

Any particular reason? It may prevent Squid being able to do what you want.

> 
> This Squid server is currently configured as a reverse proxy to allow
> traffic from internet to a number of webservices that run on an internal
> server.
> 
> Now I want to add a function to the squid server, in addition to the
> existing function. It should serve as a proxy to allow a client on the
> internal network to access a web servoce on internet.
> So, put simply, the traffic goes like this:
> Internal client -> Squid Proxy -> TMG proxy -> internet webservice

>From that diagram I'm a little doubtful that reverse-proxy is the right
way to do it here. Proxy at the client end of the connectivity are
usually forward- or interceptor- proxy.


> 
> The reason to use this configuration is because the internet webservice
> requires a client certificate for authentication, and TMG is not able to
> handle this.

Squid will not be able to handle this either unless it is directly
connecting to that service without the TMG in the way.

Because TLS is point-to-point security protocol, any proxy agent in the
middle must terminate the clients TLS and start its own server
connection for the next hop. Squid does not (yet) support sending
CONNECT over a peer proxy to bypass the TMG.

So in your current setup Squid sending the client cert will be sending
it to to authenticate with the *TMG* - not the web service.


> So now I am trying to configure this on my Squid server. I wish to make
> my configuration as restrictive as possible. But I am new to the Squid
> configuration, and I could use some help.
> 
> So basically, I want the following:
> 1. The client makes a http connection to my Squid proxy
> 2. The Squid proxy initiates the client certificate authenticated
> connection to the internet webservice
> 3. The connection from the Squid proxy to Internet uses the TMG proxy.
> 
> I do not wish to use any form of caching on my Squid server.
> 
> I considered using a configuration similar to my reverse proxy
> configuration, using the following structure:
> (this configuration works)
> 
> =====================
> 
> # Designate a port and SSL config for this specific webservice
> # Local server IP is 192.168.0.1, traffic comes in through the TMG
> https_port 192.168.0.1:1443 accel
> defaultsite=webservice.exposed.address.com vhost <SSL stuff>
> 
> # enforce use of https
> acl webapp_SITES dstdomain webservice.exposed.address.com
> http_access deny HTTP webapp_SITES
> http_access allow webapp_SITES
> 
> # Configure the reverse proxy for clients that connect to the external
> (exposed) address
> acl webapp_URL url_regex ^https://webservice.exposed.address.com
> cache_peer internal.server.lan parent 8080 0 no-query no-digest
> originserver login=PASS name=webservice_APP
> cache_peer_access webservice_APP allow webapp_URL
> cache_peer_access webservice_APP deny all
> 
> =====================
> 
> So if I use this for my new purpose, I assume that the cache_peer would
> be the internet webservice address, and I could use the sslcert option
> to make it use the client certificate. Something like this:
> 
> =====================
> 
> http_port 192.168.0.1:8080 accel defaultsite=squid.server.lan vhost
> acl webapp_URL url_regex ^http://squid.server.lan
> cache_peer webservice.somewhere.on.internet.com parent 8443 0 no-query
> no-digest originserver sslkey=/path/to/ssl/key name=webservice_APP
> cache_peer_access webservice_APP allow webapp_URL
> cache_peer_access webservice_APP deny all
> 
> =====================

That is the correct way to do it outbound from Squid. But the catch as
mentioned above is where the TLS link gets terminated (the TMG or the
web service).

Since the TMG is a reverse-proxy the DNS records for the cache_peer
domain name points at the TMG instead of the Internet service. You have
to have the cache_peer directly going to the server which uses/requires
the client certificate. Which means using IP or if available the
services own host name to avoid the TMG.

Which cycles back to that first question I had at the top about why the
TMG exists at all. You may or may not be able to do this without a full
topology redesign.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list