[squid-users] Forward proxy with certificates
Alex Rousskov
rousskov at measurement-factory.com
Wed Aug 17 17:32:47 UTC 2022
On 8/17/22 11:11, Chris XMT wrote:
> My company implemented a new proxy (Zscaler) that requires the use of
> SSL certificates. I have "black boxes" that allow me to configure a
> proxy, but not to add these needed certificates. This prevents these
> linux systems from making HTTPS requests.
When using Squid, do you configure "black boxes" to use Squid's
http_port or Squid's https_port? If it is the latter, make sure that
those "black boxes" support HTTPS forward proxies. Many clients do not!
> I built a RHEL system with Squid running. This system has the corporate
> certs needed to make HTTPS connection; I can confirm that it can do so
> via a curl command. I've spent countless hours trying to make a basic
> configuration that allows this RHEL system to forward the traffic from
> the "black boxes" to their destination. I would just assume to allow
> traffic from anywhere and any system to be forwarded.
For Squid to forward requests to an HTTPS proxy, you need to configure
the corresponding "cache_peer" with "parent", "tls" (or "ssl") and
"sslcert" options. You may also need to disable direct forwarding with
"never_direct allow all" if all traffic should go through that
cache_peer. Have you done that?
http://www.squid-cache.org/Doc/config/cache_peer/
What errors/problems do you see in cache.log and access.log?
> Can anyone offer a basic configuration file that will pass all traffic?
Using something like "http_access allow all" will allow all valid
requests into Squid, but result in an open proxy setup that is often
vulnerable to abuse. Most likely, that is _not_ what you want, and your
primary problem may lie outside Squid access controls.
HTH,
Alex.
More information about the squid-users
mailing list