[squid-users] CFG for access using certificates
Amos Jeffries
squid3 at treenet.co.nz
Wed May 29 13:45:03 UTC 2019
On 28/05/19 11:56 pm, Jānis wrote:
>
> Citēts Amos Jeffries
> Sun, 19 May 2019 14:53:33 +1200:
>
>> On 19/05/19 5:45 am, Jānis wrote:
>>> Hi!
>>>
>>> It is clear for me how to limit access to proxy from specific IPs using
>>> ACL.
>>> I wish to create the config for the use of proxy over ssl from any
>>> address. How would basic cfg look like assuming it is the only way how
>>> to use proxy?
>>
>> https_port 3127 tls-cert=/etc/squid/proxy.pem
>> http_access allow all
>>
>> I hope you can see that this is *not* secure in any way. Simple TLS to a
>> proxy only protects the in-transit bytes against spying. The proxy is an
>> open-proxy for any attacker to use at will, and the TLS can trivially be
>> MITM'd.
>>
>> You still need to have security checks (http_access rules) to check
>> whether the client is authorized to use the proxy.
>
> Could it be user/password authentification? Is it plain-text or also
> over SSL?
If that suits your needs. The in-transit protection of TLS allows things
like Basic auth to be more secure than they are normally.
Almost anything is better than allowing anyone who can contact the proxy
to use it for *anything* they wish.
>
> The other solution could be using ssl tunnels with private key
> authentification.
>
That would be the polar opposite in terms of security from what you have
now. More secure is generally better. But YMMV on how far you can go
before things get too difficult for clients.
Amos
More information about the squid-users
mailing list