[squid-users] Does Squid support client ssl termination?

mingheng wang ifoolb at gmail.com
Tue Nov 1 01:32:27 UTC 2022 

On Mon, Oct 31, 2022, 11:46 PM Grant Taylor <gtaylor at tnetconsulting.net>
wrote:

> Hi,
>
> Pre-script:  Did you mean to reply directly to me?  Or did you intend
> for your reply to go to the squid-users mailing list?
>
> Sorry about that, don't know why it only went to you.

> On 10/27/22 6:47 PM, mingheng wang wrote:
> > In my experience, many clients, such as Firefox and Chrome, favor
> > HTTPS over HTTP, and some clients even enforce HTTPS. They down right
> > send HTTPS CONNECT to 443.
>
> I think that is a relatively recent change in preference.
>
> > Does this mean Squid does support this:
> >   Client --[HTTPS on self-signed certs]-->Squid--[HTTP]--> site (suppose
> > it doesn't redirect)
>
> Yes, that is entirely likely to happen.
>
> N.B. I'm going to trust that the self-signed vs CA-signed certs are a
> non-issue and that clients have been configured to trust whatever cert
> is being used, no matter who signed it.
>
> I delved into the configuration the last few days, and found that Squid
doesn't officially support
cache_peer when ssl_bump is in use. Actually, I can't find a single tool in
the market that
can just encrypt any HTTP connection, "converting" it to an HTTPS
connection. I'm reading
RFCs and documentation to write my own proxy.


> > My Apache server only listens on 80, but when using Cloudflare in
> > front of it, Cloudflare can add HTTPS support, signed by them, and
> > web browsers say the connection is secured. So I thought Squid could
> > do the same, only with self-signed certs.
>
> Cloudflare is functioning as a /reverse/-proxy in that case.  Forward vs
> reverse proxy is technically different and has different semantics.
>
> I believe that Squid can function as a reverse proxy.
>
> This is what still confuses me. A reverse proxy is supposed to proxy a web
site. At least that's what I learnt from Nginx and Haproxy's documentation.
I'll read more on this when I have time.


> > Because I also want to avoid TLS over TLS, if I chain another HTTPS
> > proxy between the local Squid and the remote Squid. Our company's
> > gateway monitors traffic and forbids tunnels to prevent accessing
> > systems from outside but this is also hurting my internet access. When
> > using HTTPS over a SSL tunnel within our company, it may trigger the
> > IT security policy.
>
> Okay.  This local restriction may complicate things.
>
> Very tough network environment. They can even somehow detect a confidential
file going through the gateway, even with TLS.

> That would mean that unencrypted sites would never be encrypted between
> the two proxies.  If that's okay with you, then fine by me.
>
> > The downstream child Squid is running on the same localhost as with
> > other programs that are going to use it.
>
> Okay.  Thank you for clarifying.
>
> Aside:  I see little benefit, and non-trivial complication, to do HTTPS
> web browser to Squid connections to have Squid do unencrypted traffic out.
>
> > I mean certs signed by well known public CA, like DigiCert, Cloudflare
> > etc.
>
> Okay.  Thank you for clarifying.
>
> > Our company blocks HTTPS connections with self-signed certs. It says
> > they're malicious.  Besides, I want to reuse the public CA signed
> > certs that my website uses. Sorry for not being clearer before,
> > perhaps my use case is too specific.
>
> Re-using CA-signed certificates from a web server on a Squid proxy
> server may not work as well as you hope.  There's a good chance that you
> will run into issues related to CN / SAN mis-match.
>
> If you don't have any CN / SAN mis-match issues, as in the original cert
> includes the proxy's name as a SAN, you'll probably be okay.
>
> I can just negotiate HTTPS using a separate piece of software and send
HTTP data
through the tunnel. I believe the important part is the TLS negotiation.
Eliminating TLS over TLS should be enough to evade our IT's DPI. They even
banned
git from accessing the net outside the company because they can't be sure
what we
are doing with git as it's simultaneously downloading and uploading.

>
>
> --
> Grant. . . .
> unix || die
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221101/c554486a/attachment.htm>

More information about the squid-users mailing list