[squid-users] explicit forward proxy to server requring client authentication

Robert W Weaver woody.weaver at us.ibm.com
Wed May 18 12:29:29 UTC 2016 

>> 18.05.16 3:11, Robert W Weaver пишет:
>>> The issue is I need to connect to a site that requires client
>>> authentication.  Don't want to put the key and cert on each individual
>>> user, so instead want the key and cert on the proxy.
>>> Diagram:

>>> User A ---> Squid S ---> Server B
>>>         ^            ^
>>>         |            +-- TLS client authentication
>>>         +-- cleartext okay

On Wed, 18 May 2016 17:48:26 +1200, Amos Jeffries <squid3 at treenet.co.nz> 
wrote:

> On 18/05/2016 10:05 a.m., Yuri Voinov wrote:
>> 
>> ..... and a bit below in squid.conf.documented we can see.....
>> 
>> # SSL OPTIONS
>> #
>> 
-----------------------------------------------------------------------------
>> 
>> #  TAG: sslproxy_client_certificate
>> #    Client SSL Certificate to use when proxying https:// URLs
>> #Default:
>> # none
>> 
>> #  TAG: sslproxy_client_key
>> #    Client SSL Key to use when proxying https:// URLs
>> #Default:
>> # none
>> 
>> Ta-daaaaaaaa!
> 

> You are the one getting it wrong here Yuri :-(

I am celebrating Yuri's ta dah.  The clue to squid.config.documented was 
crucial, and the specific hint to sslproxy_client_* was what was missing.

From S to B is now working properly.  Squid is now in the middle, and is 
performing authentication to server B properly.

> * clientca= is for listening ports. He wants that conectio to be 
cleartext.

> * sslproxy_* directives are for generic DIRECT connections. He wants a
> specific proxy<->server connection to be TLS authenticated.

> For the S<->B connection to use client certificates. cert= and key= on
> the cache_peer directive defining that link are correct.

> But there are twe other details that need to happen for it to work:
> * the server actually challenge for the proxies 'client' cert, and
> * the server trust the CA which signed that cert.

This is happening.  I'd generated a CSR and had the CA that is the "owner" 
of server B sign it for me.  We are cool.

> The world of "not working" is a very big place. We need more details of
> *how* its not working in order to have any guideposts towards what the
> problem actually is. As Yuri used to say a lot, my psychic friend is on
> holiday.

It is now working to an acceptable point, although there is an enhancement 
that would be nice.  Right now,

1.  A connects to S, requests https://B/some/image.png
2.  S connects to B over TLS, performs client authentication, gets 
/some/image.png (or pulls from cache)
3.  A converts to TLS to S, pulls down data.

This is fine, its just that there is an unnecessary encrypt/decrypt 
between A and S.  The connection is inside a controlled data center (on 
the same switch, perhaps on the same ESX host) so I'm not concerned about 
security -- not to mention the cached data isn't especially sensitive. 

So this last bit is just an enhancement, a nice to have.  Its the opposite 
of SSL termination for accelerators, so I suspect its possible, just don't 
know how to do it.

Coffee (or a favorite beverage) all around!

--woody

-- 
Doubt is not a pleasant condition, but certainty is absurd.
-- Voltaire


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160518/b4f0e808/attachment.html>

More information about the squid-users mailing list