[squid-users] Is there a way to allow connection according to user certificate?
Yuri Voinov
yvoinov at gmail.com
Wed May 4 12:09:06 UTC 2016
04.05.16 18:05, Amos Jeffries пишет:
> On 4/05/2016 11:20 p.m., Ser de Bronce wrote:
>> Hi there,
>>
>>
>> Maybe someone already knows any solution:
>>
>>
>> I have transparent proxy and according to some reasons I can’t use
>> login/password authentication. However I still need to control who can
>> access my proxy.
>>
>>
>> I can install certificates to my users. Is it possible to allow connection
>> only if a user has the certificate issued by my CA?
> You seem not to quite understand what the "some reasons" actually are.
> If you did you would not have to ask.
>
>
> Firstly, there is only one reason behind it all.
>
> The reason is that the client thinks it's talking to some service that
> is *not your proxy*. That is very important.
>
>
> Secondly, there is one criteria that determines what works and what fails.
>
> That criteria is "authentication". Specifically in-band authentication.
> Any type of in-band authentication WILL fail. Any type. Not just passwords.
>
> TLS client certificate is just another type of in-band authentication.
> * Which answers your question: No. It wont work the way you want.
>
>
> If you can install certificates that easily. Then surely you can just as
> easily assign explicit proxy settings. Doing that would avoid all the
> issues with interception.
>
>
> Also, Think about all the passive details / metadata you get from the
> client traffic and how you can use it to authorize access without
> actively engaging the client across the intercepted connection.
>
> There are quite a lot of things you can do. Methods like RADIUS or DHCP
> assigned IP addresses. Static IPs, or MAC address registrations a proxy
> external ACL helper can lookup to identify the client account.
Just in addition. DHCP with infinite lease, or static binding, or IDENT
;) Or, yes, RADIUS....
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list