[squid-users] Mutual authentication managed by Squid

Yuri Voinov yvoinov at gmail.com
Fri Feb 20 09:41:26 UTC 2015


20.02.15 15:34, Ilya Karpov пишет:
> I’m not sure that using transparent sslbump squid will understand how 
> to use client certificate for mutual authentication.
As you configure it.
> At least without transparent ssl bump it doesn’t.
Sure.
> Did you try to use trspr-sslbump for client auth? How does squid pick 
> right client certificate for certain host?
Client auth on HTTPS sites is not function of transparent proxy. And 
yes, we don't use client serts on our transparent proxy. We simple 
bypass this sites directly without bumping. Let's client's do it 
yourself. This is not our responsibility.

I see two ways to do that as you wish.

1. Add sites, required client-certs auth to exclude bump list. I.e., 
exclude proxy from chain.
2. Configure proxy to use client certs with sites requires it using ACL's.

>
> Best regards,
> Ilya Karpov
> karpoftea at gmail.com <mailto:karpoftea at gmail.com>
>
>
>> 20 февр. 2015 г., в 12:24, Yuri Voinov <yvoinov at gmail.com 
>> <mailto:yvoinov at gmail.com>> написал(а):
>>
>> Transparent SSL Bump interception, eh?
>>
>> 20.02.15 15:14, Ilya Karpov пишет:
>>> Hi guys,
>>> can anyone suggest solution to make following scenario work using squid:
>>>
>>> step1.
>>> Client(actually server application) calls HTTP://example 
>>> <http://example/>.org squid via proxy.
>>>  |
>>> V
>>> step2.
>>> Proxy(Squid) understands that all calls to HTTP://example.org 
>>> <http://example.org/> should be changed to HTTPS://example.org 
>>> <https://example.org/>, trusts CA that uses example.org 
>>> <http://example.org/> and knows client certificate to use for https 
>>> client authentication
>>>  |
>>> V
>>> step3.
>>> Origin(some server in internet) accepts https request, authenticates 
>>> client, returns response
>>>
>>> The main aim is to make client know nothing about https complexity 
>>> (storing certificates/keys, knowing specific algorithms etc), and 
>>> make squid manage this things.
>>>
>>>
>>> Best regards,
>>> Ilya Karpov
>>> karpoftea at gmail.com <mailto:karpoftea at gmail.com>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org 
>> <mailto:squid-users at lists.squid-cache.org>
>> http://lists.squid-cache.org/listinfo/squid-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150220/d1ef949f/attachment-0001.html>


More information about the squid-users mailing list