[squid-users] Is there a way to allow connection according to user certificate?

Yuri Voinov yvoinov at gmail.com
Thu May 5 13:13:50 UTC 2016

Hash: SHA256

05.05.16 19:06, Ser de Bronce пишет:
> Dear Amos and Yuri, thanks a lot for your answers.
> Sorry for the mess, I'm novice here.
> As it turned out my proxy is not transparent...
> By "some reasons" I meant clients' experience reasons, let me explain.
> I use explicit proxy and my clients connect to proxy using iPhone only.
> I installed self-signed certificate on every iPhone and made
login/pass authentication.
> It works perfect for wi-fi connection, because in this case iPhone
gives a possibility to specify proxy domain, port, login and password.
> However to make them connect to proxy using mobile internet I had to
install APN profile on each iPhone. Inside APN profile I can specify
domain and port, but not login and pass (APN doesn't have such
settings). So when client opens browser using mobile internet he is
asked for login/pass every time. This situation is not appropriate for
me so I can't use login/pass.
But this is the default behaviour for proxy with auth.

I still do not understand the purpose for which authentication is required?
> I'm thinking that maybe it's possible to replace login/pass
authentication with certificate authentication.
> I want to authenticate users using a digital certificate they already
have on their iPhone.
> I found some articles about certificate authentication for reverse
proxy, but can't find anything about explicit one.

Reverse proxy is different thing against forwarding/transparent proxy.

AFAIK there is no solution you asked.

But you can be first.

I see this:

1. You can write external auth helper, with Perl/Pyton/etc. for
2. You can setup DHCP with 252 option for push proxy.pac to your clients.
3. You can tell us about success ;)

> Is it possible?
In theory, everything is possible, which does not contradict the laws of
physics. :)
> Best Regards,
> Sergey

Version: GnuPG v2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160505/c546a27b/attachment.key>

More information about the squid-users mailing list