[squid-users] Is there a way to allow connection according to user certificate?

Amos Jeffries squid3 at treenet.co.nz
Thu May 5 13:19:03 UTC 2016 

On 6/05/2016 1:06 a.m., Ser de Bronce wrote:
> Dear Amos and Yuri, thanks a lot for your answers.
> 
> Sorry for the mess, I'm novice here.
> As it turned out my proxy is not transparent...
> 
> By "some reasons" I meant clients' experience reasons, let me explain.
> 
> I use explicit proxy and my clients connect to proxy using iPhone only.
> I installed self-signed certificate on every iPhone and made login/pass
> authentication.
> It works perfect for wi-fi connection, because in this case iPhone gives a
> possibility to specify proxy domain, port, login and password.
> However to make them connect to proxy using mobile internet I had to
> install APN profile on each iPhone. Inside APN profile I can specify domain
> and port, but not login and pass (APN doesn't have such settings). So when
> client opens browser using mobile internet he is asked for login/pass every
> time. This situation is not appropriate for me so I can't use login/pass.
> 
> I'm thinking that maybe it's possible to replace login/pass authentication
> with certificate authentication.
> I want to authenticate users using a digital certificate they already have
> on their iPhone.
> 
> I found some articles about certificate authentication for reverse proxy,
> but can't find anything about explicit one.
> Is it possible?

Squid can listen on an https_port for connections. The TLS settings to
challenge for client cert are the same for explicit proxy as you would
find for reverse-proxy.

What you will also find however is that browsers do not do TLS to
proxies, or if they do not without jumping through some other hoops
which are browser dependent.

IIRC;
* Chrome requires that it is started with certain command line options,
AND that a PAC file is used with https:// URI for the proxy detail.

* Firefox requires that PAC file are used with https:// URI for the
proxy detail AND limits the protocol spoken to those proxy to HTTP/2.

* Safari and IE - seem not to support TLS proxy at all yet AFAIK.

Amos

More information about the squid-users mailing list