[squid-users] Proxy client certificate authentication rewritten to username/password authentication
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 10 05:12:43 UTC 2018
On 10/10/18 11:37 AM, Alex Rousskov wrote:
>
> Please note that if you want to rewrite URLs of secure web sites (e.g.,
> "https://example.com/"), then you will be fighting an increasingly
> uphill battle with modern browsers, even if Squid can do (or can be
> enhanced to do) what you want. In many cases, an overall better solution
> in that case is to rewrite those secure URLs inside the browser instead,
> even though that approach often requires instrumenting several browsers
> that increasingly resist instrumentation (i.e. another uphill battle
> with popular browsers!).
>
One other thing to consider here is whether the user+pass have to be
sent in the URL at all.
If possible, it would be better to use a cache_peer connection that
sends HTTP authentication headers to the upstream server. That gives you
ability to "internally" use the more secure forms of TLS which cannot be
MITM'd for the connection containing credentials.
Alternatively, you may be able to send a custom header with the
http_header_add mechanism with a custom value to the origin server for
processing.
Amos
More information about the squid-users
mailing list