<div dir="ltr">To reiterate Alex, "yes you can".<div><br></div><div>Squid supports "proxy over TLS" as well as the old/default "proxy over TCP" - you use the https_port option</div><div><br></div><div>...but getting browsers to support it is challenging. The best way would be to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY". Then you can just use Proxy-Authentication using Basic and you'd be all set. BTW, Basic has MAJOR performance benefits over any other form of authentication IMHO. Basic over TLS is the way to go...</div><div><br></div><div><br></div><div>eg something like this </div><div><br></div><div>---------------- wpad.dat ----------</div><div><br></div><div><div>function FindProxyForURL(url, host)</div><div>{</div><div> // see how I used 443? If you're going to run a TLS-encrypted proxy, make it totally appear as a HTTPS server and run it on port 443...</div><div> //<br></div><div> </div><div><br></div><div><span style="white-space:pre"> </span>if (isPlainHostName(host) || dnsDomainIs(host,"localhost.localdomain") ) {</div><div><span style="white-space:pre"> </span>return "DIRECT";</div><div><span style="white-space:pre"> </span>} else if (isInNet(host, "127.0.0.0", "255.0.0.0") || isInNet(host, "10.0.0.0", "255.0.0.0") || isInNet(host, "172.16.0.0", "255.240.0.0") || isInNet(host, "192.168.0.0", "255.255.0.0") ) {</div><div><span style="white-space:pre"> </span>return "DIRECT";</div><div><span style="white-space:pre"> </span>} else {</div><div><span style="white-space:pre"> </span>// </div><div><span style="white-space:pre"> </span>return "HTTPS <a href="http://secure-squid.com:443">secure-squid.com:443</a>";</div><div> <span style="white-space:pre"> </span>}</div><div>}</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 5, 2017 at 5:13 AM, Colle Christophe <span dir="ltr"><<a href="mailto:christophe.colle@ac-nancy-metz.fr" target="_blank">christophe.colle@ac-nancy-metz.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi Anthony,</div><div><br></div><div>Thank you for your answer.</div><div><br></div><div>That this only secures the traffic Squid<->LDAP Server, not browsers<->Squid.</div><div><br></div><div>Is there a solution to secure communication between the browser and the proxy?</div></div><div><br></div><div><br></div><div>Chris.</div><div><br></div><span>Le 04/12/17 16:49, <b class="m_-4985320708803459319name">Antony Stone </b> <<a href="mailto:Antony.Stone@squid.open.source.it" target="_blank">Antony.Stone@squid.open.<wbr>source.it</a>> a écrit :</span><div class="HOEnZb"><div class="h5"><blockquote class="m_-4985320708803459319iwcQuote" style="border-left:1px solid #00f;padding-left:13px;margin-left:0" type="cite"><div class="m_-4985320708803459319mimetype-text-plain">On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:<br><br>> Is there a solution to secure the "basic" authentication of squid? (with an<br>> SSL certificate for example).<br><br><a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap" target="_blank">https://wiki.squid-cache.org/<wbr>ConfigExamples/Authenticate/<wbr>Ldap</a> section <br>"SSL/TLS_adjustments"?<br><br><br>Antony.<br><br>-- <br>"Linux is going to be part of the future. It's going to be like Unix was."<br><br> - Peter Moore, Asia-Pacific general manager, Microsoft<br><br> <wbr> Please reply to the list;<br> <wbr> please *don't* CC me.<br>______________________________<wbr>_________________<br>squid-users mailing list<br><a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a></div></blockquote>
</div></div><br>______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Cheers</div><div><br></div><div>Jason Haar</div><div>Information Security Manager, Trimble Navigation Ltd.</div><div>Phone: +1 408 481 8171</div><div>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1</div></div></div>
</div>