[squid-users] https proxy authentication

Adam Weremczuk adamw at matrixscience.com
Thu Mar 29 15:24:11 UTC 2018 

Hi all,

I have a solution in place with a dedicated squid LXC container (v 
3.1.20-2.2).
Both http and https proxy run on default port 3128.
Https in tunneled in http using CONNECT.
There is no authentication in place and both are working fine.

For testing purposes we also use an Apache (v 2.2.22-13) proxy forwarder 
running on a different machine on port 80 as "aproxy".

Config below:

/# Authenticated proxy for testing purposes//
//# We forward http/s requests to the local proxy server//
//ProxyRequests On//
//ProxyVia On//
//ProxyRemote http http://proxy.example.internal:3128//
//ProxyRemote https http://proxy.example.internal:3128//
//ProxyDomain .example.internal//
//NoProxy .example.internal 192.168.x.x/22//
//<Proxy *>//
//   Order Deny,Allow//
//   Deny from all//
//   Allow from 192.168.x.x/22//
//   AuthType Basic//
//   AuthName ProxyAuth//
//   AuthUserFile /etc/apache2/proxypasswd//
//   Require valid-user//
//</Proxy>/

This is working as expected for http requests:

1. Unauthenticated (failure):

/$ http_proxy=http://aproxy:80//
//$ wget http://example.com 2>&1 | grep response//
//Proxy request sent, awaiting response... 407 Proxy Authentication 
Required/

2. Username with password (success):

/$ http_proxy=http://username1:password@aproxy:80//
//$ wget http://example.com 2>&1 | grep response//
//Proxy request sent, awaiting response... 200 OK/

3. Username without password (success):
/
//$ http_proxy=http://username2:@aproxy:80//
//$ wget http://example.com 2>&1 | grep response//
//Proxy request sent, awaiting response... 200 OK/

My *PROBLEM* is I can't find a way to use authentication for proxied 
https requests.

 From a LAN client trying to establish connection:

/$ echo $http_proxy//
//http://username1:password@aproxy:80//
/

/$ echo $https_proxy//
//http://username1:password@aproxy:80//
/

/$ wget --server-response https://example.com 2>&1//
//--2018-03-29 15:20:44--  https://example.com///
//Resolving aproxy (aproxy)... 192.168.x.x//
//Connecting to aproxy (aproxy)|192.168.x.x|:80... connected.//
//Proxy tunneling failed: Service Temporarily UnavailableUnable to 
establish SSL connection./

On "aproxy" only one line in apache error log (even in debug mode):

/[Thu Mar 29 15:21:59 2018] [error] (111)Connection refused: proxy: 
CONNECT: attempt to connect to 93.184.216.34:443 (example.com) failed/

Nothing is logged on squid "proxy" which is the next hop.

What's the easiest way to enable authenticated https proxying?
I don't want to enable it for our main production proxy:3128
Or maybe it's already supposed to work but I'm missing something?

Please advise.

Thanks
Adam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180329/937aaa92/attachment.html>

More information about the squid-users mailing list