[squid-users] reverse-proxy with client certificates pass-thru
Jason Haar
Jason_Haar at trimble.com
Mon Feb 16 23:03:52 UTC 2015
On 17/02/15 11:34, Amos Jeffries wrote:
> There is splice mode in 3.5. Which is to say "dont bump that traffic".
If you have a reverse-proxy between a client and backend server and the
backend server insists on seeing the client cert, then I think at best
squid is simply a tcp forwarder (ie splice mode). It could be easier to
put a xinetd-based forwarder in place or even to publish the backend
onto the Internet directly. Basically squid can add nothing
We're going through the same process with Microsoft's SCCM server. The
agents use client certs, but we're hoping we can disable the requirement
for client certs on the backend and get the DMZ "security portal" to do
that check itself (as we trust patching our "security portal" more than
patching Microsoft apps). However, that probably won't work and then we
too will be basically doing a tcp forward...
In all fairness, any HTTPS web server that is kept patched, and which
requires validating client certs before even getting to the home page is
an extremely hard target to hack. Irrespective of the security quality
of the web application itself, if the bad guys can't actually interact
with the web app (because they have no client cert), then their options
are extremely limited
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list