[squid-users] Allowing User Certificate Authentication with SSL Bump

[Justin Cook]

We are running into a situation where we are unable to fully authenticate
our users to an internal tooling service that requires certificate
authentication as part of its login process, when going through squid
forward proxy with SSL bump enabled.  The problem, however, is that it
shares a domain name with all of our other internal tooling services so we
cannot just enable splice for the domain, since we then lose access to ssl
bump and the url logging that it allows.

In this implementation, the main thing that we are using Squid for is
allowance-only access for a locked down subset of machines, where specific
URLs are allowed for different machine sets.  We need the source machine
and URLs accessed to be logged in case they need to be reviewed at a later
date.

So I am trying to find some way to accomplish one of the following:
1.  Log full URL paths for spliced domains (www.domain.com/auth/tool
instead of just www.domain.com)
2.  Allow user certificate based authentication for SSL Bumped URLs
3.  Splice only a specific subdirectory instead of a whole domain (which is
impossible, if I understand correctly)

Are any of these even possible with squid or have we hit a brick wall in
terms of available functionality?  I haven't been able to find any working
solutions for enabling user certificate authentication with squid forward
proxies.  The most I have been able to do is have the squid proxy itself
present a static user certificate, but that won't be deemed acceptable by
the security teams that manage the authentication services.
Thanks in advance for your help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210427/03170ad7/attachment.htm>