[squid-users] Using squid for http to https forward proxy

[Amos Jeffries]

On 23/02/18 11:20, Faling, Martin wrote:
> Hi all, 
> 
> I am new to configuring Squid as a forward proxy. 
> Not sure if squid can fullfill my need. 
> My client ( in this case a Windows 2016 server) needs to connect to the
> forward proxy (squid) which is residing in a DMZ. 
> The forward proxy needs to establish a new session to an external
> webserver on behalf of my client (Windows 2016 server) using mutual
> authentication (both client and server need to authenticate using
> certificates).
> So assume the client certificate needs to be installed on forward proxy. 

No. A regular forward-proxy has nothing to do with TLS between clients
and origin servers (aka "HTTPS"). It will simply open the TCP-level
CONNECT tunnels on request by the client.


> I am not looking for redirection from http to https for my client.

"redirect" between http:// and https:// is forbidden to proxies.

But, I suspect that your choice of the word "redirect" was the wrong
thing here. It does not match with the rest of your problem description.
Specifically the part where you say you are using a forward-proxy.


> From
> client to proxy it needs to be plain http in order to inspect network
> traffic on the firewall(s).>
> Question 1 : is such a configuration possible using squid ? 

Assuming that your initial statement about wanting a forward-proxy was
the correct part of your description. The answer would be yes, and that
you do not have to configure anything at all in Squid for it to work.

The client sends an HTTP CONNECT message to the proxy, which opens the
tunnel to the remote server. When the proxy reports success, the client
initiates the TLS to that server inside the tunnel.


> Question 2 : if it is possible, which version of squid (to be installed
> on CentOS 7) do I need ? How would a configuration look like ? 

If what I think you are asking about is correct any Squid can do it.
Without TLS/SSL support needing to be built into the proxy.


Amos