[squid-users] Let Squid use SSL certificate for a parent cache peer

Amos Jeffries squid3 at treenet.co.nz
Tue May 5 09:30:34 UTC 2020


On 5/05/20 9:04 pm, mariolatif741 wrote:
> Hello,
> 
> I have a Squid proxy server (proxy A) and I redirect all its traffic to
> another proxy (proxy B) using a parent cache peer.
> 
> However, proxy B requires a SSL certificate to be used so it can intercept
> the HTTPS requests and read them.
> 
> I want to specify the path of the CA certificate to Squid in proxy A so my
> users can be redirected to proxy B without having to install the CA
> certificate.
> 
> Is it possible?

If the client is participating in the TLS handshake it *always* requires
the CA to be installed.


To use TLS on the connection between proxyA and proxyB:

  cache_peer proxyB parent 3128 0 tls-ca=/path/to/proxyB_CA.pem

Note that this is only to encrypt traffic between the proxies. When the
client is not involved.


To further improve security you should also use a client certificate for
proxyA and setup client cert validation between the proxies.

Amos


More information about the squid-users mailing list