[squid-users] explicit forward proxy to server requring client authentication
Amos Jeffries
squid3 at treenet.co.nz
Wed May 18 05:48:26 UTC 2016
On 18/05/2016 10:05 a.m., Yuri Voinov wrote:
>
> ..... and a bit below in squid.conf.documented we can see.....
>
> # SSL OPTIONS
> #
> -----------------------------------------------------------------------------
>
> # TAG: sslproxy_client_certificate
> # Client SSL Certificate to use when proxying https:// URLs
> #Default:
> # none
>
> # TAG: sslproxy_client_key
> # Client SSL Key to use when proxying https:// URLs
> #Default:
> # none
>
> Ta-daaaaaaaa!
>
You are the one getting it wrong here Yuri :-(
* clientca= is for listening ports. He wants that conectio to be cleartext.
* sslproxy_* directives are for generic DIRECT connections. He wants a
specific proxy<->server connection to be TLS authenticated.
For the S<->B connection to use client certificates. cert= and key= on
the cache_peer directive defining that link are correct.
But there are twe other details that need to happen for it to work:
* the server actually challenge for the proxies 'client' cert, and
* the server trust the CA which signed that cert.
The world of "not working" is a very big place. We need more details of
*how* its not working in order to have any guideposts towards what the
problem actually is. As Yuri used to say a lot, my psychic friend is on
holiday.
Amos
>
> 18.05.16 3:11, Robert W Weaver пишет:
>> Greetings, squid users and devs,
>
>> I think this is usual, but I can't find examples, and I can't make it
> work. :-)
>
>> The issue is I need to connect to a site that requires client
> authentication. Don't want to put the key and cert on each individual
> user, so instead want the key and cert on the proxy.
>
>> Diagram:
>
>> User A ---> Squid S ---> Server B
>> ^ ^
>> | +-- TLS client authentication
>> +-- cleartext okay
>
>> I'm able to bump, but the client authentication to server B isn't
> working. Configured cert and key on S with ssl-bump cert= .. key= ..
> but that isn't working.
>
>> Is this not possible?
>
>> --woody
>
>
>> /--
>> "I used to wish the universe were fair. Then one day it hit me: What if
>> the universe were fair? Then all the awful things that happen to us in
>> life, would happen because we deserved them. So now I take great pleasure
>> in the general hostility and unfairness of things."
>> -- Marcus, on Babylon 5/
>
>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list