[squid-users] Does Squid support client ssl termination?
Grant Taylor
gtaylor at tnetconsulting.net
Wed Oct 26 17:38:01 UTC 2022
On 10/26/22 10:43 AM, mingheng wang wrote:
> Hello all,
Hi,
> Since ssl_bump can generate self signed certificates on the fly, I
> wonder if this setup is possible, or even just in theory:
> clients with necessary root CA installed connect to a local Squid. With
> ssl_bump and self signed certs,
I'm with you so far. I've got such a Monkey in the Middle here at the
house.
> it always talks with the clients over HTTPS,
Please clarify / confirm if you're talking about HTTPS protection of the
client to squid connection. -- I ask because not all clients natively
/ easily support HTTPS connection to Squid.
N.B. the connection between the client and Squid is completely
independent of the connection between Squid and the next upstream server.
> making clients believe their connections are secure;
This is the biggest hang up for me. -- I don't think that the HTTPS
communications with Squid in and of itself will cause clients to think
that an insecure site is actually secure.
My client doesn't show that it has a secure connection to neverssl.com
which doesn't support HTTPS (by design) despite communicating with Squid
via HTTPS.
> the local Squid then forwards the connections to a parent Squid server,
> which however, will only send data back in plain HTTP, i.e. in clear
> text, akin to a reverse proxy with ssl termination to its proxied site.
Okay. I'm not sure why you would not have encryption on the downstream
child Squid to the upstream parent Squid, but that's your choice.
> my goals are to cache data/modify requests even when connecting to
> https only sites,
Squid's TLS Monkey in the Middle should cache things without any
problem. So I don't see the need to do anything extra for this.
> while avoiding using self signed certs to encrypt connections over the
> Internet,
I have no idea where the downstream child Squid is that's doing TLS
MitM. Nor do I have any idea where the upstream parent Squid is. So I
can't really comment about locality / Internet.
> because this way, I can chain an https proxy with trusted certs
> in between.
"Trusted certs" is sort of ambiguous in this case as your TLS MitM
/clients/ *trust* the root cert that the downstream child Squid is using.
I see no reason why you can't use similar methodology to protect the
communications between the downstream child Squid to the upstream parent
Squid. -- Independent of who the cert used by the upstream parent
Squid is from.
If the downstream child Squid has the root CA that signed the upstream
parent Squid's TLS certificate in the downstream child Squid root CA
store, then the connection between the two Squids is trusted. Even if
there are no public CAs involved. }:-)
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221026/e0d0181d/attachment.bin>
More information about the squid-users
mailing list