[squid-users] explicit forward proxy to server requring client authentication

Amos Jeffries squid3 at treenet.co.nz
Wed May 18 05:48:26 UTC 2016 

On 18/05/2016 10:05 a.m., Yuri Voinov wrote:
> 
> ..... and a bit below in squid.conf.documented we can see.....
> 
> # SSL OPTIONS
> #
> -----------------------------------------------------------------------------
> 
> #  TAG: sslproxy_client_certificate
> #    Client SSL Certificate to use when proxying https:// URLs
> #Default:
> # none
> 
> #  TAG: sslproxy_client_key
> #    Client SSL Key to use when proxying https:// URLs
> #Default:
> # none
> 
> Ta-daaaaaaaa!
> 

You are the one getting it wrong here Yuri :-(

* clientca= is for listening ports. He wants that conectio to be cleartext.

* sslproxy_* directives are for generic DIRECT connections. He wants a
specific proxy<->server connection to be TLS authenticated.

For the S<->B connection to use client certificates. cert= and key= on
the cache_peer directive defining that link are correct.

But there are twe other details that need to happen for it to work:
* the server actually challenge for the proxies 'client' cert, and
* the server trust the CA which signed that cert.

The world of "not working" is a very big place. We need more details of
*how* its not working in order to have any guideposts towards what the
problem actually is. As Yuri used to say a lot, my psychic friend is on
holiday.

Amos

> 
> 18.05.16 3:11, Robert W Weaver пишет:
>> Greetings, squid users and devs,
> 
>> I think this is usual, but I can't find examples, and I can't make it
> work. :-)
> 
>> The issue is I need to connect to a site that requires client
> authentication.  Don't want to put the key and cert on each individual
> user, so instead want the key and cert on the proxy.
> 
>> Diagram:
> 
>> User A ---> Squid S ---> Server B
>>         ^            ^
>>         |            +-- TLS client authentication
>>         +-- cleartext okay
> 
>> I'm able to bump, but the client authentication to server B isn't
> working.  Configured cert and key on S with ssl-bump cert= .. key= ..
> but that isn't working.
> 
>> Is this not possible?
> 
>> --woody
> 
> 
>> /-- 
>> "I used to wish the universe were fair. Then one day it hit me: What if
>> the universe were fair? Then all the awful things that happen to us in
>> life, would happen because we deserved them. So now I take great pleasure
>> in the general hostility and unfairness of things."
>> -- Marcus, on Babylon 5/
> 
> 
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list