[squid-users] Squid proxy configuration for client SSL termination
Amos Jeffries
squid3 at treenet.co.nz
Thu Apr 16 05:06:02 UTC 2020
On 16/04/20 1:23 pm, Michael Leikind wrote:
> Greetings to the Squid community!
>
> I would like to get the recommendation on how to configure Squid (latest
> version) with client SSL termination.
>
> The requirement is to provide proxy access to the internet for the
> client who has no ability to install a custom CA certificate.
>
> Following the documentation here
> <https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>,
> it is possible to use HTTPS for the browser-proxy connection the same
> way as HTTP.
>
> However, the only way to achieve that
> <https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit> is
> to use SSL Interception with self-signed CA certificate, which cannot
> work in my case.
>
> Can someone please advise?
>
Clients *always* need a CA to trust TLS connections.
But, there are two types of "client termination". Only intercepted
traffic requires the CA private keys to be on the proxy - which is where
the custom CA installation comes from.
A TLS explicit proxy using TLS to receive traffic (HTTP, HTTPS and
other) can use a normal server certificate signed by a global CA the
clients *may* already trust.
Amos
More information about the squid-users
mailing list