[squid-users] using "acl <name> user_cert CN <cn>"
claudiu vasadi
claudiu.vasadi at gmail.com
Fri Feb 28 13:35:00 UTC 2020
Hello list,
I’m currently trying to wrap my head around the concept of using “acl
name user_cert CN cn” on squid 3.5. What I would like to achieve is a
setup where the client needs to pass a certificate and squid
allows/denies access to the internet based on said certificate CN. So
far I came up empty.
My current config:
acl ssl_authentication user_cert CN user.cn.com
http_access allow all ssl_authentication
http_port 443 ssl-bump \
cert=/etc/squid/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
#this is what generates certs on the fly. Point to the CA you generated above.
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /tmp/squid/ssl_db -M 4MB
sslcrtd_children 5
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump stare all
always_direct allow all
>From the client side I do:
curl -E certificate.pem -k -x http://myproxy:443 https://www.google.de
but I get the access denied page.
Checking cache.log I see:
matches: checking ssl_authentication = 0
clientAccessCheckDone: The request CONNECT www.google.de:443 is
DENIED; last ACL checked: all
So it’s clear the acl doesn’t match.
What am I doing wrong here? How should I adjust the acl?
PS: checking the certificate confirms the CN to be user.cn.com
More information about the squid-users
mailing list