[squid-users] Using a Baltimore root certificate in transparent ssl proxying
Antony.Stone at squid.open.source.it
Tue Apr 28 08:42:27 UTC 2020
On Monday 27 April 2020 at 23:44:41, Lei Wen wrote:
> The issue we are having right now is the certificate installed on the
> container is a self signed cert, we were trying to migrate this cert to a
> real trusted CA cert, or a Baltimore root cert.
That will not work for an intercepting ("transparent") proxy.
> I do notice that it is illegal for a trusted CA to issue official cert to
> squid because squid itself is man-in-the-middle, so Squid can only accept
> self signed cert and squid as root CA?
This is correct.
Squid is acting as a man-in-the-middle for *any* web request your users choose
to pass through it, therefore it has to present a certificate to their browser
which is valid for whatever domain they have requested.
In effect, it would need a wildcard certificate for the entire Internet.
No CA is going to give you that.
"How I managed so long without this book baffles the mind."
- Richard Stoakley, Group Program Manager, Microsoft Corporation,
referring to "The Art of Project Management", O'Reilly press
Please reply to the list;
please *don't* CC me.
More information about the squid-users