[squid-users] CFG for access using certificates
Jānis
je at ktf.rtu.lv
Tue May 28 11:56:29 UTC 2019
Citēts Amos Jeffries <squid3 at treenet.co.nz>
Sun, 19 May 2019 14:53:33 +1200:
> On 19/05/19 5:45 am, Jānis wrote:
>> Hi!
>>
>> It is clear for me how to limit access to proxy from specific IPs using
>> ACL.
>> I wish to create the config for the use of proxy over ssl from any
>> address. How would basic cfg look like assuming it is the only way how
>> to use proxy?
>
> https_port 3127 tls-cert=/etc/squid/proxy.pem
> http_access allow all
>
> I hope you can see that this is *not* secure in any way. Simple TLS to a
> proxy only protects the in-transit bytes against spying. The proxy is an
> open-proxy for any attacker to use at will, and the TLS can trivially be
> MITM'd.
>
> You still need to have security checks (http_access rules) to check
> whether the client is authorized to use the proxy.
Could it be user/password authentification? Is it plain-text or also over SSL?
The other solution could be using ssl tunnels with private key
authentification.
Janis
More information about the squid-users
mailing list