[squid-users] Is there a way to allow connection according to user certificate?

Amos Jeffries squid3 at treenet.co.nz
Thu May 5 13:19:03 UTC 2016

On 6/05/2016 1:06 a.m., Ser de Bronce wrote:
> Dear Amos and Yuri, thanks a lot for your answers.
> Sorry for the mess, I'm novice here.
> As it turned out my proxy is not transparent...
> By "some reasons" I meant clients' experience reasons, let me explain.
> I use explicit proxy and my clients connect to proxy using iPhone only.
> I installed self-signed certificate on every iPhone and made login/pass
> authentication.
> It works perfect for wi-fi connection, because in this case iPhone gives a
> possibility to specify proxy domain, port, login and password.
> However to make them connect to proxy using mobile internet I had to
> install APN profile on each iPhone. Inside APN profile I can specify domain
> and port, but not login and pass (APN doesn't have such settings). So when
> client opens browser using mobile internet he is asked for login/pass every
> time. This situation is not appropriate for me so I can't use login/pass.
> I'm thinking that maybe it's possible to replace login/pass authentication
> with certificate authentication.
> I want to authenticate users using a digital certificate they already have
> on their iPhone.
> I found some articles about certificate authentication for reverse proxy,
> but can't find anything about explicit one.
> Is it possible?

Squid can listen on an https_port for connections. The TLS settings to
challenge for client cert are the same for explicit proxy as you would
find for reverse-proxy.

What you will also find however is that browsers do not do TLS to
proxies, or if they do not without jumping through some other hoops
which are browser dependent.

* Chrome requires that it is started with certain command line options,
AND that a PAC file is used with https:// URI for the proxy detail.

* Firefox requires that PAC file are used with https:// URI for the
proxy detail AND limits the protocol spoken to those proxy to HTTP/2.

* Safari and IE - seem not to support TLS proxy at all yet AFAIK.


More information about the squid-users mailing list