[squid-users] Proxy chain question

Amos Jeffries squid3 at treenet.co.nz
Sat May 23 03:53:25 UTC 2015 

On 23/05/2015 1:49 a.m., Lucas van Braam van Vloten wrote:
> Hello,
> 
> Thanks for your reply.
> 
>> Any particular reason?
> Unfortunately this double setup is not my choice, our architects
> prescribe use of the TMG proxy as mandatory for all internet access from
> the internal network. No exceptions.
>> Since the TMG is a reverse-proxy (...)
> This is true only for inbound traffic coming from internet; TMG acts as
> a forward proxy for outbound traffic.
> 

Ah. Okay.

> So the updated diagram for what I am trying to accomplish would be
> something like this:
> 
>                http       https       https
> Internal client ->  Squid  ->   TMG    -> internet webservice
>                   (reverse    (forward    
>                    proxy)      proxy)
> 
>> Squid will not be able to handle this either unless it is directly
> connecting to that service without the TMG in the way.
> 
> I noticed that if I configure the Squid proxy as a forward proxy and the
> TMG as its peer, I can initiate and authenticate a secure connection to
> the internet web service from a browser in the local network (using the
> squid proxy). Apparently the TMG is passed transparently and TLS is
> terminated on the webservice. Intuitively I would assume that,
> therefore, there should also be some way to initiate a https connection,
> and handle the certificate authentication, from the squid server itself.
> 
> Considering the updated diagram, do you think this can be done in Squid?

No, because Squid is only aware of two ways to send request - either a
connection going to the TMG, or a connection going out directly on port
443 to the server (bypassing the TMG). That latter is forbidden by
firewall rules I presume, and the connection to the TMG is not secured
for use with https:// URLs.

In the case where the browser client is sending HTTPS to Squid as a
forward proxy it does so using CONNECT requests. Squid is able to relay
those CONNECT messages to the TMG and you see it working as the tunnel
spans both hops and they are both blind to the HTTPS messages themselves.


If you could TLS encrypt the connection to the TMG Squid could send the
HTTPS messages inside that, but then the TMG would still be the agent
doing the final client-cert bits with the origin server.

Amos

More information about the squid-users mailing list