[squid-users] squid reverse proxy and client certs

Alex Samad alex at samad.com.au
Wed Dec 30 22:40:34 UTC 2015


Hi

Thanks I thought that might be the issue.

could you point me to an example for requesting client certs for a directory

Thanks
Alex

On 30 December 2015 at 21:56, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> On 30.12.15 15:11, Alex Samad wrote:
>>
>> I have squid 3.5.12 working as a reverse proxy
>>
>> cache_peer 127.0.0.1 \
>> parent 443 0 proxy-only no-query no-digest originserver \
>> login=PASS \
>> ssl \
>> sslcafile=/etc/pki/tls/certs/ca-bundle.crt \
>> sslflags=DONT_VERIFY_PEER \
>> name=webServer
>>
>> This points to httpd which has a
>>        <Location /test/>
>>                DirectoryIndex index.shtml index.html
>>                Options -Indexes -Includes +IncludesNOEXEC
>> -SymLinksIfOwnerMatch -ExecCGI -FollowSymLinks
>>
>>                SSLOptions +StdEnvVars +ExportCertData
>>                SSLVerifyClient optional_no_ca
>>                SSLVerifyDepth 4
>>        </Location>
>>
>> Unfortunately the request for a client cert never makes it to the client.
>>
>> How can I change this to allow client certs to work
>
>
> client certs will only work when you pass the connection directly to web
> server without unbundling SSL.
> That means, it's useless to use reverse proxy for HTTPS server when it needs
> client certificates.
>
> The workaround you could be in verifying client certificates by squid,
> pushing that info to server and webserver trusting that info...
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Chernobyl was an Windows 95 beta test site.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list