[squid-users] Is there a way to allow connection according to user certificate?
Yuri Voinov
yvoinov at gmail.com
Thu May 5 13:13:50 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
05.05.16 19:06, Ser de Bronce пишет:
> Dear Amos and Yuri, thanks a lot for your answers.
>
> Sorry for the mess, I'm novice here.
> As it turned out my proxy is not transparent...
>
> By "some reasons" I meant clients' experience reasons, let me explain.
>
> I use explicit proxy and my clients connect to proxy using iPhone only.
> I installed self-signed certificate on every iPhone and made
login/pass authentication.
> It works perfect for wi-fi connection, because in this case iPhone
gives a possibility to specify proxy domain, port, login and password.
> However to make them connect to proxy using mobile internet I had to
install APN profile on each iPhone. Inside APN profile I can specify
domain and port, but not login and pass (APN doesn't have such
settings). So when client opens browser using mobile internet he is
asked for login/pass every time. This situation is not appropriate for
me so I can't use login/pass.
But this is the default behaviour for proxy with auth.
I still do not understand the purpose for which authentication is required?
>
> I'm thinking that maybe it's possible to replace login/pass
authentication with certificate authentication.
> I want to authenticate users using a digital certificate they already
have on their iPhone.
>
> I found some articles about certificate authentication for reverse
proxy, but can't find anything about explicit one.
Reverse proxy is different thing against forwarding/transparent proxy.
AFAIK there is no solution you asked.
But you can be first.
I see this:
1. You can write external auth helper, with Perl/Pyton/etc. for
authentification.
2. You can setup DHCP with 252 option for push proxy.pac to your clients.
3. You can tell us about success ;)
> Is it possible?
In theory, everything is possible, which does not contradict the laws of
physics. :)
>
> Best Regards,
> Sergey
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXK0cOAAoJENNXIZxhPexGUG4H/3uMpUgrRnO1kILD+jGr96+4
7JVAm6NUrmnzseYLz2BkXtWPCb2fWxsOoQOWXdwHZR9YtpsM6aSFG+zG0nRzGWFs
/nicGIThegKRfD6ONhumRPKzDKdIhEx+XSKcoaxB0q157ncTsgrazvoyLYetza+5
iTNSR30WNdqoslR5GlJDW4etTO88xfCu+trrhFI3yKFevzbq9xkrfBC06K0+RX2U
twaAHJToGRoiAhEsrhD9MwxxGj4E8NUYGvhaAfINyqSjXNJhQ0d4eTwTp18Dok13
ae/ake0f0aSnrCN7riBMS5iIINvwKMf/bTCibMGSJ1TVnr7B5K6RNVR3eqtQ0lU=
=pQ4f
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160505/c546a27b/attachment.key>
More information about the squid-users
mailing list