[squid-users] reverse-proxy with client certificates pass-thru

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 16 22:34:27 UTC 2015


On 17/02/2015 3:16 a.m., Martin Fuchs wrote:
> Hi !
> 
>  
> 
> I'm looking for a possibility to tell squid to pass a certificate presented
> by the client to a cache peer.
> 
> Since i did not find anything, i decided to ask here ;-)
> 
> I saw that it's possibe to let squid pass a client crtificate tot he cache
> peer, but this would not work for out purposes.
> 
>  
> 
> It's an apple mobile device management system which needs to authenticate
> the clients by their certificates.
> 
> Does anyone have apple remote profile-management running thru a
> reverse-proxy with squid ?

Reverse proxy terminate the HTTPS connection. The client cert only
applies to validate the connection between client and Squid, and Squid
does not have the clients private key needed to encrypt traffic from
that client.

There is splice mode in 3.5. Which is to say "dont bump that traffic".

The proper setup is for the proxy to have a cert representing itself
which it uses to validate the HTTPS with backend service. But I dont
know enough about the Apple system to say if that works like its
supposed to or if they are tying the cert to what data is accessible.


> 
> This dirctive alone does not work:
> 
> cache_peer xx.xx.xx.xx parent 443 0 proxy-only no-query no-digest
> originserver login=PASSTHRU ssl sslflags=DONT_VERIFY_PEER front-end-https=on
> name=MDM_HOST_443


PS. DONT_VERIFY_PEER is evil. It basically tells Squid not to care what
the encryption is doing on the connection. You may as well be using
plain-text for all the security offers now.

The correct configuration is to have the remote peers CA (and CA chain)
configured as trusted for this peer. Adding that CA to the system
trusted CA set works but is risky, adding it just for those connections
with cache_peer sslcafile=/sslcapath= option is best.

Amos


More information about the squid-users mailing list