[squid-users] explicit forward proxy to server requring client authentication
squid3 at treenet.co.nz
Wed May 18 05:48:26 UTC 2016
On 18/05/2016 10:05 a.m., Yuri Voinov wrote:
> ..... and a bit below in squid.conf.documented we can see.....
> # SSL OPTIONS
> # TAG: sslproxy_client_certificate
> # Client SSL Certificate to use when proxying https:// URLs
> # none
> # TAG: sslproxy_client_key
> # Client SSL Key to use when proxying https:// URLs
> # none
You are the one getting it wrong here Yuri :-(
* clientca= is for listening ports. He wants that conectio to be cleartext.
* sslproxy_* directives are for generic DIRECT connections. He wants a
specific proxy<->server connection to be TLS authenticated.
For the S<->B connection to use client certificates. cert= and key= on
the cache_peer directive defining that link are correct.
But there are twe other details that need to happen for it to work:
* the server actually challenge for the proxies 'client' cert, and
* the server trust the CA which signed that cert.
The world of "not working" is a very big place. We need more details of
*how* its not working in order to have any guideposts towards what the
problem actually is. As Yuri used to say a lot, my psychic friend is on
> 18.05.16 3:11, Robert W Weaver пишет:
>> Greetings, squid users and devs,
>> I think this is usual, but I can't find examples, and I can't make it
> work. :-)
>> The issue is I need to connect to a site that requires client
> authentication. Don't want to put the key and cert on each individual
> user, so instead want the key and cert on the proxy.
>> User A ---> Squid S ---> Server B
>> ^ ^
>> | +-- TLS client authentication
>> +-- cleartext okay
>> I'm able to bump, but the client authentication to server B isn't
> working. Configured cert and key on S with ssl-bump cert= .. key= ..
> but that isn't working.
>> Is this not possible?
>> "I used to wish the universe were fair. Then one day it hit me: What if
>> the universe were fair? Then all the awful things that happen to us in
>> life, would happen because we deserved them. So now I take great pleasure
>> in the general hostility and unfairness of things."
>> -- Marcus, on Babylon 5/
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
> squid-users mailing list
> squid-users at lists.squid-cache.org
More information about the squid-users