[squid-users] Squid proxy as outgoing gateway
Alex Rousskov
rousskov at measurement-factory.com
Tue Sep 20 14:11:43 UTC 2022
On 9/20/22 00:53, Mark Schenk wrote:
> We have a use case in which we need to do mutual TLS with an upstream
> server. Our internal services are using their own certificates, and we
> would like to use the SQUID proxy as a kind of gateway to which we send
> requests for the upstream server. The squid proxy will verify the
> incoming certificate and if correct, replace it by a certificate that is
> appropriate for the upstream server. I'm wondering whether this is
> possible with squid. I have been looking into ssl-bump of squid but
> couldn't get it working.
I see nothing in your description that would require SslBump. You seem
to be describing a reverse proxy for an HTTPS service with
certificate-based authentication. The certificates you are talking about
sound like client certificates. Squid supports those.
> Has anybody any experience with mutual authentication and squid ?
I would start with a basic https_port and TLS cache_peer combo:
# Squid pretends to be an HTTPS service listening on port 443
# and requiring client certificates
https_port 443 accel cert=... tls-cafile=... ...
# Squid forwards (all? some?) requests to the real HTTPS service
# that requires client certificates
cache_peer ... parent 443 0 no-query originserver tls sslcert=... ...
hierarchical_direct off
never_direct allow ...
HTH,
Alex.
More information about the squid-users
mailing list