[squid-users] Proxy chain question

Lucas van Braam van Vloten lucas2 at dds.nl
Thu May 21 16:58:46 UTC 2015


Hello list,

In my network I have a Microsoft TMG proxy server for http(s) access to
internet.
This TMG server also serves as a reverse proxy to channel incoming
traffic to a Squid reverse proxy in the internal network (yes, two
reverse proxies in a line)

This Squid server is currently configured as a reverse proxy to allow
traffic from internet to a number of webservices that run on an internal
server.

Now I want to add a function to the squid server, in addition to the
existing function. It should serve as a proxy to allow a client on the
internal network to access a web servoce on internet.
So, put simply, the traffic goes like this:
Internal client -> Squid Proxy -> TMG proxy -> internet webservice

The reason to use this configuration is because the internet webservice
requires a client certificate for authentication, and TMG is not able to
handle this.
So now I am trying to configure this on my Squid server. I wish to make
my configuration as restrictive as possible. But I am new to the Squid
configuration, and I could use some help.

So basically, I want the following:
1. The client makes a http connection to my Squid proxy
2. The Squid proxy initiates the client certificate authenticated
connection to the internet webservice
3. The connection from the Squid proxy to Internet uses the TMG proxy.

I do not wish to use any form of caching on my Squid server.

I considered using a configuration similar to my reverse proxy
configuration, using the following structure:
(this configuration works)

=====================

# Designate a port and SSL config for this specific webservice
# Local server IP is 192.168.0.1, traffic comes in through the TMG
https_port 192.168.0.1:1443 accel
defaultsite=webservice.exposed.address.com vhost <SSL stuff>

# enforce use of https
acl webapp_SITES dstdomain webservice.exposed.address.com
http_access deny HTTP webapp_SITES
http_access allow webapp_SITES

# Configure the reverse proxy for clients that connect to the external
(exposed) address
acl webapp_URL url_regex ^https://webservice.exposed.address.com
cache_peer internal.server.lan parent 8080 0 no-query no-digest
originserver login=PASS name=webservice_APP
cache_peer_access webservice_APP allow webapp_URL
cache_peer_access webservice_APP deny all

=====================

So if I use this for my new purpose, I assume that the cache_peer would
be the internet webservice address, and I could use the sslcert option
to make it use the client certificate. Something like this:

=====================

http_port 192.168.0.1:8080 accel defaultsite=squid.server.lan vhost
acl webapp_URL url_regex ^http://squid.server.lan
cache_peer webservice.somewhere.on.internet.com parent 8443 0 no-query
no-digest originserver sslkey=/path/to/ssl/key name=webservice_APP
cache_peer_access webservice_APP allow webapp_URL
cache_peer_access webservice_APP deny all

=====================

My client makes a direct connection to the squid proxy (http) and the
squid proxy connects directly to the internet web service (https) and
handles all the SSL stuff.
However, this does not seem to work. I don't know how I can configure
squid to still use the TMG proxy to access internet.
In addition, I wonder if it is possible to limit access to this, and
only this, specific proxy function to only 1 host. All other reverse
proxy configurations on the server should be accessible to other
clients.

I hope someone could give me some advice...

Thanks!
Lucas



More information about the squid-users mailing list