[squid-users] Sending CONNECT method requests over HTTPS
Ronan Lucio
ronanlucio at gmail.com
Wed May 20 17:38:04 UTC 2020
Hi Alex,
> > My scenario is:
> > I have a serverless API that needs to connect to a couple specific
> > targets from a static IP.
> > As this serverless API doesn't have a static IP, I thought to do this
> > through a proxy server.
> > That's why I need to enforce security on the authentication layer.
>
> And, I presume, you do not trust the API to only request what it should.
> If you trust the API, then you do not need the allowed_target check.
>
> Also, if possible, consider using certificate-based authentication
> rather than HTTP authentication to authenticate your clients to Squid.
> Certificate-based authentication happens earlier, before Squid has to
> deal with all the dangers of HTTP negotiations.
That's a good point.
First, I can trust the requester API, but I can't trust the source
network, it's on the cloud and sure it has other applications in the
same public network.
I also plan to send these requests through NAT from a static IP, so I
can accept requests only from a specific IP.
The idea of using Certificate-based authentication is really good.
Is it possible to do this between client-squid or do you mean
client-to-other-end?
Thanks
Ronan
More information about the squid-users
mailing list