<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Thank you for the directions, I have the https proxy working now.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I got a signed CA cert and installed it on the squid server and after importing the intermediate cert into the client, it is working as expected.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default"><font face="tahoma, sans-serif"><i>https_port 3128 tls-cert=/etc/squid/ssl_cert/ssl_certificate.cer tls-key=/etc/squid/ssl_cert/proxy.key</i></font><br></div><div class="gmail_default"><br></div><div class="gmail_default">Thanks for all the help and the responsiveness.</div><div class="gmail_default"><br></div><div class="gmail_default"><br></div><div class="gmail_default">Subhish</div><div class="gmail_default"><font face="tahoma, sans-serif"><i><br></i></font></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Dec 14, 2018 at 2:33 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 12/14/18 12:03 PM, Subhish Pillai wrote:<br>
<br>
> my use case for the squid proxy is to be able to accept a<br>
> HTTPS_proxy request from the client and tunnel it forward to the<br>
> destination server. <br>
<br>
> How do I get this to work without having to create self-signed certs on<br>
> the proxy server and importing that into the client ca-bundle. <br>
<br>
Get a server certificate from a CA authority that the client trusts,<br>
issued for the Squid proxy domain. Give Squid that certificate. For<br>
example, you may be able to use a free <a href="http://letsencrypt.org" rel="noreferrer" target="_blank">letsencrypt.org</a> CA.<br>
<br>
An HTTPS proxy needs a certificate it can sign its traffic with. That<br>
certificate must be issued by a client-trusted CA. Whether that is a<br>
fake CA that you operate (what you may have referred to as a<br>
"self-signed cert" above) or a real CA trusted by millions of other<br>
clients (e.g., letsencrypt), is your choice.<br>
<br>
<br>
> For that I copied over the CA bundle from the client<br>
> into the proxy server and pointed the "tls-cert" option to that file<br>
<br>
Why? Please suggest specific documentation changes that would remove the<br>
implication that doing the above has something to do with your goals.<br>
That option is for specifying the signing certificate (i.e. the<br>
certificate the proxy is going to sign traffic with).<br>
<br>
<br>
> Am I missing any config steps in the squid.conf file?<br>
<br>
You are missing a clientca or tls-cafile option that triggers client<br>
certificate request (from Squid to client) and gives Squid CA<br>
certificates to trust when validating the client-supplied certificate.<br>
This is unrelated to the Squid signing certificate discussed above.<br>
<br>
Alex.<br>
<br>
<br>
> On Wed, Dec 12, 2018 at 6:53 PM Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a><br>
> <mailto:<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>>> wrote:<br>
> <br>
> On 13/12/18 12:50 pm, Subhish Pillai wrote:<br>
> > Thanks Alex, that was very helpful.<br>
> ><br>
> > Based on your explanation, I just want to use squid as a blind TCP<br>
> > tunnel carrying the HTTPS connection from client to app server. <br>
> ><br>
> > In that case, I don't need to use ssl_bump feature and the ssl_crtd<br>
> > program for certificate management, is that correct?<br>
> ><br>
> <br>
> Going by the description you gave of the client configuration, it<br>
> should be.<br>
> <br>
> <br>
> > Would this config file work to setup the TCP tunnel --<br>
> <br>
> ...<br>
> > ## Allow server side certificate errors such as untrusted<br>
> certificates,<br>
> > otherwise the connection is closed for such errors<br>
> > sslproxy_cert_error allow all<br>
> ><br>
> > ## Accept certificates that fail verification (should only be<br>
> needed if<br>
> > using 'sslproxy_cert_error allow all')<br>
> > sslproxy_flags DONT_VERIFY_PEER<br>
> ><br>
> <br>
> These sslproxy_* options only apply when Squid is actively performing<br>
> TLS to upstream servers. They have no place in the "blind tunnel"<br>
> situation.<br>
> (They also are deprecated in Squid-4, replaced by the<br>
> tls_outgoing_options directive<br>
> <<a href="http://www.squid-cache.org/Doc/config/tls_outgoing_options/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Doc/config/tls_outgoing_options/</a>>).<br>
> <br>
> If the client software is sending CONNECT requests containing the HTTPS<br>
> traffic, then there is absolutely nothing your config needs to do than<br>
> let them send those requests to the proxy (as the default config does).<br>
> <br>
> You do not even need Squid to be built with TLS/SSL support. That is the<br>
> meaning of "blind" in this setup.<br>
> <br>
> Amos<br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <br>
> <br>
> <br>
> -- <br>
> <br>
> *Subhish Pillai*<br>
> <br>
> R&D Software Quality Engineer<br>
> <br>
> Broadcom | Brocade Storage Networking<br>
> <br>
> T (720) 462-2900<br>
> <br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="m_-8767902539362374891gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><p style="font-size:12.8px;margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><b><span style="font-size:10pt;font-family:Arial,sans-serif">Subhish Pillai</span></b><span style="font-size:9.5pt;font-family:Arial,sans-serif"></span></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><font color="#444444"><span style="font-size:8pt;font-family:Arial,sans-serif">R&D Software Quality Engineer</span><span style="font-family:Arial,sans-serif;font-size:9.5pt"></span></font></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><font color="#444444"><span style="font-size:8pt;font-family:Arial,sans-serif">Broadcom | Brocade Storage Networking</span><span style="font-size:9.5pt;font-family:Arial,sans-serif"></span></font></p><p style="margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><span style="font-size:8pt;color:rgb(68,68,68);font-family:Arial,sans-serif">T (720) 462-2900</span><br></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><img src="https://broadcom.okta.com/bc/image/fileStoreRecord?id=fs09tph49bX08lpVi0x7" width="200" height="33"></p></div></div></div></div></div></div></div></div></div>