[squid-users] Is there a way to allow connection according to user certificate?

Amos Jeffries squid3 at treenet.co.nz
Wed May 4 12:05:06 UTC 2016

On 4/05/2016 11:20 p.m., Ser de Bronce wrote:
> Hi there,
> Maybe someone already knows any solution:
> I have transparent proxy and according to some reasons I can’t use
> login/password authentication. However I still need to control who can
> access my proxy.
> I can install certificates to my users. Is it possible to allow connection
> only if a user has the certificate issued by my CA?

You seem not to quite understand what the "some reasons" actually are.
If you did you would not have to ask.

Firstly, there is only one reason behind it all.

The reason is that the client thinks it's talking to some service that
is *not your proxy*. That is very important.

Secondly, there is one criteria that determines what works and what fails.

That criteria is "authentication". Specifically in-band authentication.
Any type of in-band authentication WILL fail. Any type. Not just passwords.

TLS client certificate is just another type of in-band authentication.
 * Which answers your question: No. It wont work the way you want.

If you can install certificates that easily. Then surely you can just as
easily assign explicit proxy settings. Doing that would avoid all the
issues with interception.

Also, Think about all the passive details / metadata you get from the
client traffic and how you can use it to authorize access without
actively engaging the client across the intercepted connection.

There are quite a lot of things you can do. Methods like RADIUS or DHCP
assigned IP addresses. Static IPs, or MAC address registrations a proxy
external ACL helper can lookup to identify the client account.


More information about the squid-users mailing list