[squid-users] Is there a way to allow connection according to user certificate?

Yuri Voinov yvoinov at gmail.com
Thu May 5 14:01:47 UTC 2016

Hash: SHA256

05.05.16 19:19, Amos Jeffries пишет:
> On 6/05/2016 1:06 a.m., Ser de Bronce wrote:
>> Dear Amos and Yuri, thanks a lot for your answers.
>> Sorry for the mess, I'm novice here.
>> As it turned out my proxy is not transparent...
>> By "some reasons" I meant clients' experience reasons, let me explain.
>> I use explicit proxy and my clients connect to proxy using iPhone only.
>> I installed self-signed certificate on every iPhone and made login/pass
>> authentication.
>> It works perfect for wi-fi connection, because in this case iPhone
gives a
>> possibility to specify proxy domain, port, login and password.
>> However to make them connect to proxy using mobile internet I had to
>> install APN profile on each iPhone. Inside APN profile I can specify
>> and port, but not login and pass (APN doesn't have such settings). So
>> client opens browser using mobile internet he is asked for login/pass
>> time. This situation is not appropriate for me so I can't use login/pass.
>> I'm thinking that maybe it's possible to replace login/pass
>> with certificate authentication.
>> I want to authenticate users using a digital certificate they already
>> on their iPhone.
>> I found some articles about certificate authentication for reverse proxy,
>> but can't find anything about explicit one.
>> Is it possible?
> Squid can listen on an https_port for connections. The TLS settings to
> challenge for client cert are the same for explicit proxy as you would
> find for reverse-proxy.
> What you will also find however is that browsers do not do TLS to
> proxies, or if they do not without jumping through some other hoops
> which are browser dependent.
> * Chrome requires that it is started with certain command line options,
> AND that a PAC file is used with https:// URI for the proxy detail.
> * Firefox requires that PAC file are used with https:// URI for the
> proxy detail AND limits the protocol spoken to those proxy to HTTP/2.
In my personal opinion, that everywhere for the crazy idea to push HTTPS
- and where it is necessary and where it is not necessary. If a hammer -
everything looks like a nail.
> * Safari and IE - seem not to support TLS proxy at all yet AFAIK.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Version: GnuPG v2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160505/5308d8c0/attachment-0001.key>

More information about the squid-users mailing list