[squid-users] Mutual TLS for the upstream example
Sergey Maslyakov
evolvah at gmail.com
Thu Jan 14 23:38:11 UTC 2021
Thank you, Eliezer! I will look into it but it appears that the underlying
problem is not solvable by design of the mTLS handshake... There are corner
cases that can be solved but not the original issue.
On Thu, Jan 14, 2021 at 2:39 PM Eliezer Croitoru <ngtech1ltd at gmail.com>
wrote:
> I don’t know about Squid but I assume varnish has this feature:
>
> https://docs.varnish-software.com/varnish-cache-plus/features/backend-ssl/
>
>
>
> If you just need a GW without caching it should work as expected.
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru
>
> Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1ltd at gmail.com
>
> Zoom: Coming soon
>
>
>
>
>
> *From:* squid-users <squid-users-bounces at lists.squid-cache.org> *On
> Behalf Of *Sergey Maslyakov
> *Sent:* Thursday, January 14, 2021 9:41 PM
> *To:* squid-users at lists.squid-cache.org
> *Subject:* [squid-users] Mutual TLS for the upstream example
>
>
>
> Folks,
>
>
>
> Is the CONNECT tunnel designed in a way that enables it to "enrich" the
> outgoing connection with mTLS authentication? "tls_outgoing_options" does
> not seem to work the way I was hoping it does.
>
>
>
> My destination server requires mTLS authentication of the client. I have a
> valid key-cert pair and I can successfully execute a "curl" command to
> fetch a document from that server using the key-cert pair at hand.
>
>
>
> I want to put Squid between my clients (Maven, Gradle, Docker Engine, etc)
> and the server so that clients would be configured to use the instance of
> Squid as an HTTPS proxy but would not have to be configured with the mTLS
> key-cert pair.
>
>
>
> Here is how I see it:
>
>
>
> Maven --- (HTTPS/CONNECT) ---> Squid (stores my mTLS key-cert pair) ---
> (mTLS/SSL) ---> Server
>
>
>
> Is this doable within Squid architecture?
>
>
>
> I got it working using NGINX with some minor hiccups and I was hoping I
> can do it more elegantly with Squid.
>
>
>
>
>
> Thank you,
>
> /Sergey
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210114/7b8a679b/attachment-0001.htm>
More information about the squid-users
mailing list