[squid-users] (no subject)

Amos Jeffries squid3 at treenet.co.nz
Sat Jul 14 06:58:44 UTC 2018


On 14/07/18 12:34, Krystyna Niesiołowska wrote:
> Hi All,
> 
> In my company, the HR uses an outsourced SaaS (on a unique public IP)
> configured with a commercial SSL certificate (i.e. I have both the
> private and the public key) accessed by our employees via a subdomain of
> our company domain (saas.company.com) <http://saas.mycompany.com_> .
> Unfortunately, we cannot control the data being transferred by the HR
> people and because of the GDPR the board wants to be able to get alerts
> if anyone tries to transfer personal data to the cloud + a general
> channel to check against any data exfiltration.
> 
> 
> My idea is to set to route all traffic going to sass.company.com
> <http://sass.company.com> via a box running Squid with SSL interception.
> I would like to install the same cert as the one used with the SaaS.
> This is to avoid the need of installing any additional certs on use's'
> machines. Unfortunately, I cannot find an option to set Squid with a
> single commercial cert instead of a CA (commonly used to intercept
> generate individual certs for all of the SSL traffic).
> 
> Does anybody have any suggestions on the viable setup?
> 

What you are calling a "commercial certificate" is actually a server
certificate. It is solely for use on servers and reverse-proxy.

So you need to setup Squid as a reverse-proxy (aka CDN frontend) to the
SAAS service instead.

To do that have your network DNS resolver provide the internal clients
with the proxy IP address instead of the remote servers IP and in
squid.conf:

 https_port 443 accel cert=... key=...
 acl saas dstdomain saas.example.com
 cache_peer saas.example.com 443 0 originserver ssl
 cache_peer_access allow saas
 cache_peer_access deny all


Amos


More information about the squid-users mailing list