[squid-users] auth_param tls? limiting proxy access based on client TLS authentication
Alex Rousskov
rousskov at measurement-factory.com
Sat Nov 14 22:26:57 UTC 2020
On 11/14/20 1:53 PM, Bob Rich wrote:
> 1 - Run TLS on the proxy listener. This would use https_port directive
> and would require that we are able to configure the proxy to mandate
> client certificates before allowing the connection to complete. Clients
> with no/invalid certificates wouldn't even get to the point where they
> can send a request to the proxy.
Yes, this is how certificate-based authentication is usually done with
Squid. There are large Squid deployments using this mechanism. It is
also the most secure method of using a proxy...
https_port 3443 clientca=auth.pem tls-cert=squid.pem ...
The biggest problem with this approach is being able to configure
clients to use an HTTPS proxy (as opposed to using an HTTP proxy for
HTTPS traffic). Popular browsers support HTTPS proxies (but may require
PAC-based configuration to enable that support[1]). Many clients do not
support HTTPS proxies.
[1] Look for "HTTPS proxy" at
https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file
Please note that one cannot combine SslBump and certificate-based client
authentication on the same port (yet?).
BTW, the other two options for certificate-based authentication that you
were thinking about will not work out of the box, for various reasons.
HTH,
Alex.
> 2 - Use ssl-bump functionality to modify the TLS handshake that occurs
> after a CONNECT request to require a valid client certificate before
> completing the request. No idea if this is possible.
>
> 3 - Use either of the above to establish the mutually authenticated TLS
> context and then surface that information through ICAP to offload the
> authorization decision.
>
> I've been able to get ssl-bump working to generate custom certs and I
> have Squid talking to c-icap. I haven't successfully got Squid to prompt
> the client to authenticate and I still have quite a bit of learning to
> do on the ICAP side.
>
> Thanks in advance for any steers (including 'this is a terrible idea' of
> course :)
>
> Lastly I haven't used gmail with a mailing list before. Let me know if
> i've stomping on some etiquette.
More information about the squid-users
mailing list