[squid-users] Squid proxy configuration for client SSL termination

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 16 05:06:02 UTC 2020

On 16/04/20 1:23 pm, Michael Leikind wrote:
> Greetings to the Squid community!
> I would like to get the recommendation on how to configure Squid (latest
> version) with client SSL termination.
> The requirement is to provide proxy access to the internet for the
> client who has no ability to install a custom CA certificate.
> Following the documentation here
> <https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>,
> it is possible to use HTTPS for the browser-proxy connection the same
> way as HTTP.
> However, the only way to achieve that
> <https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit> is
> to use SSL Interception with self-signed CA certificate, which cannot
> work in my case.
> Can someone please advise?

Clients *always* need a CA to trust TLS connections.

But, there are two types of "client termination".  Only intercepted
traffic requires the CA private keys to be on the proxy - which is where
the custom CA installation comes from.

A TLS explicit proxy using TLS to receive traffic (HTTP, HTTPS and
other) can use a normal server certificate signed by a global CA the
clients *may* already trust.


More information about the squid-users mailing list