[squid-users] CFG for access using certificates

Jānis je at ktf.rtu.lv
Tue May 28 11:56:29 UTC 2019


Citēts Amos Jeffries <squid3 at treenet.co.nz>
Sun, 19 May 2019 14:53:33 +1200:

> On 19/05/19 5:45 am, Jānis wrote:
>> Hi!
>>
>> It is clear for me how to limit access to proxy from specific IPs using
>> ACL.
>> I wish to create the config for the use of proxy over ssl from any
>> address. How would basic cfg look like assuming it is the only way how
>> to use proxy?
>
>  https_port 3127 tls-cert=/etc/squid/proxy.pem
>  http_access allow all
>
> I hope you can see that this is *not* secure in any way. Simple TLS to a
> proxy only protects the in-transit bytes against spying. The proxy is an
> open-proxy for any attacker to use at will, and the TLS can trivially be
> MITM'd.
>
> You still need to have security checks (http_access rules) to check
> whether the client is authorized to use the proxy.

Could it be user/password authentification? Is it plain-text or also over SSL?

The other solution could be using ssl tunnels with private key  
authentification.

Janis


More information about the squid-users mailing list