[squid-users] CFG for access using certificates
Amos Jeffries
squid3 at treenet.co.nz
Sun May 19 02:53:33 UTC 2019
On 19/05/19 5:45 am, Jānis wrote:
> Hi!
>
> It is clear for me how to limit access to proxy from specific IPs using
> ACL.
> I wish to create the config for the use of proxy over ssl from any
> address. How would basic cfg look like assuming it is the only way how
> to use proxy?
>
https_port 3127 tls-cert=/etc/squid/proxy.pem
http_access allow all
I hope you can see that this is *not* secure in any way. Simple TLS to a
proxy only protects the in-transit bytes against spying. The proxy is an
open-proxy for any attacker to use at will, and the TLS can trivially be
MITM'd.
You still need to have security checks (http_access rules) to check
whether the client is authorized to use the proxy.
Amos
More information about the squid-users
mailing list