[squid-users] tproxy sslbump and user authentication
Amos Jeffries
squid3 at treenet.co.nz
Tue Apr 21 06:28:53 UTC 2020
On 21/04/20 11:08 am, Vieri wrote:
> Hi,
>
> Is it possible to somehow combine the filtering capabilities of tproxy ssl-bump for access to https sites and the access control flexibility of proxy_auth (eg. kerberos)?
Please see the FAQ:
<https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F>
>
> Is having two proxy servers in sequence an acceptable approach, or can it be done within the same instance with the CONNECT method?
>
> My first approach would be to configure clients to send their user credentials to an explicit proxy (Squid #1) which would then proxy_auth via Kerberos to a PDC. ACL rules would be applied here based on users, domains, IP addr., etc.
>
> The http/https traffic would then go forcibly through a tproxy ssl-bump host (Squid #2) which would basically analyze/filter traffic via ICAP.
Why bother with the second proxy at all? The explicit proxy has access
to all the details the interception one does (and more - such as
credentials). It should be able to do all filtering necessary.
TPROXY and NAT are for proxying traffic of clients which do not support
HTTP proxies. They are hugely limited in what they can do. If you have
ability to use explicit-proxy, do so.
Amos
More information about the squid-users
mailing list