[squid-users] Is there a way to allow connection according to user certificate?
Yuri Voinov
yvoinov at gmail.com
Thu May 5 14:01:47 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
05.05.16 19:19, Amos Jeffries пишет:
> On 6/05/2016 1:06 a.m., Ser de Bronce wrote:
>> Dear Amos and Yuri, thanks a lot for your answers.
>>
>> Sorry for the mess, I'm novice here.
>> As it turned out my proxy is not transparent...
>>
>> By "some reasons" I meant clients' experience reasons, let me explain.
>>
>> I use explicit proxy and my clients connect to proxy using iPhone only.
>> I installed self-signed certificate on every iPhone and made login/pass
>> authentication.
>> It works perfect for wi-fi connection, because in this case iPhone
gives a
>> possibility to specify proxy domain, port, login and password.
>> However to make them connect to proxy using mobile internet I had to
>> install APN profile on each iPhone. Inside APN profile I can specify
domain
>> and port, but not login and pass (APN doesn't have such settings). So
when
>> client opens browser using mobile internet he is asked for login/pass
every
>> time. This situation is not appropriate for me so I can't use login/pass.
>>
>> I'm thinking that maybe it's possible to replace login/pass
authentication
>> with certificate authentication.
>> I want to authenticate users using a digital certificate they already
have
>> on their iPhone.
>>
>> I found some articles about certificate authentication for reverse proxy,
>> but can't find anything about explicit one.
>> Is it possible?
>
> Squid can listen on an https_port for connections. The TLS settings to
> challenge for client cert are the same for explicit proxy as you would
> find for reverse-proxy.
>
> What you will also find however is that browsers do not do TLS to
> proxies, or if they do not without jumping through some other hoops
> which are browser dependent.
>
> IIRC;
> * Chrome requires that it is started with certain command line options,
> AND that a PAC file is used with https:// URI for the proxy detail.
>
> * Firefox requires that PAC file are used with https:// URI for the
> proxy detail AND limits the protocol spoken to those proxy to HTTP/2.
In my personal opinion, that everywhere for the crazy idea to push HTTPS
- and where it is necessary and where it is not necessary. If a hammer -
everything looks like a nail.
>
>
> * Safari and IE - seem not to support TLS proxy at all yet AFAIK.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXK1JLAAoJENNXIZxhPexGW/MIAM0aKjIOY4/3o8iYisQIQQjX
e10w0d7ygLbX4cHabzURwcR5J1qaoPE1VnK5tugybsEBUYLdj4EMRQ/FEqUIhC/+
aWodGOWneZ8QEFh7U+56g+fZLzUolbtJidjl/9JwmB8iWKSNgffLEgrTG3GIh4Jt
o7AfkqNejKqyaSio0iY1QygqI+LKBUVTpPdQIQ4950Ulql+rN55k7mktia04ZC35
bxM3p060aE5SG6YmEqjxOi1mAceMW1SmAESMKAN/GzuRc3CK4TUzqlXcxfScLEwQ
Il6HH0r+ovh19cj5dBZIVAS3cVgK1zvdsVREoZ4HUJIS/0n3dDUgbnP3hpXvGtI=
=2GpD
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160505/5308d8c0/attachment-0001.key>
More information about the squid-users
mailing list