[squid-users] Using a static wildcard certificate with ssl-bump in explicit forward proxy mode
Amos Jeffries
squid3 at treenet.co.nz
Sat Jan 26 02:42:29 UTC 2019
On 26/01/19 5:51 am, Bill Bernsen wrote:
> Hi,
>
> I have squid running as an explicit forward proxy on the
> host example.com <http://example.com/> controlling access to all hosts
> in *.example.com <http://example.com/>. All the hosts in *.example.com
> <http://example.com/> have self-signed certificates that I want to
> appear as trusted to user browsers. I don't have the option of obtaining
> a trusted CA. I do, however, have a trusted wildcard certificate for
> *.example.com <http://example.com/> available. Is there a way that I can
> tell squid to present this static wildcard certificate to clients in
> lieu of all upstream server certificates?
As a forward proxy clients are *not* connecting to any of the
*.example.com domains. They are connecting to your proxy hostname - and
telling it to take care of the origin connections. So all clients need
is trust for the CA which signed the proxy's certificate.
The proxy is the only agent in the path which needs to trust the
wildcard *.example.com certificate.
Amos
More information about the squid-users
mailing list