I am utilizing Squid 2.6-13 in a reverse-proxy configuration. I have an application on a web server that requires client side certificates that is fronted by the Squid proxy. One of the properties of a client-side certificate is the serial number. Question #1 Even if I installed the client-certificate's CA on the Squid proxy for it to validate the certificate, there is no way for Squid to then pass on the request to the back-end web server with the client-side certificate. In essence, the certificate presented by the client to Squid is lost in translation as the back-end web server never sees it because Squid makes its own connection on behalf of the initial request but WITHOUT the client-certificate. Correct? Question #2 In a reverse-proxy set-up, the requests sent to the back-end web server fronted by the Squid proxy will ALWAYS appear with the source IP of the Squid proxy server, NOT the client IP. Correct? Is there no way to change this so it appears to come from the client's IP rather than Squid. I appreciate the assistance. Thanks! --- Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > mån 2007-09-10 klockan 10:13 -0700 skrev > techguy005-ml@xxxxxxxxx: > > > In a Squid reverse proxy configurations, in order > to > > use client certificates, the respective CA signer > of > > the client-side certificates must be installed on > the > > Squid server (not the web server) level so the > > end-user get challenged to present a client-side > > certificate by Squid instead of by the web server. > > > Correct? > > Correct. > > > Can Squid be configured to define client-side > > certificate requirements at the DIRECTORY level > (like > > the aforementioned "/ClientCertRequred/") or does > the > > requirements have to be set based on the web site > as a > > whole (i.e. "www.whatever.com")? > > Currently it's per https_port only. Renegotiation of > the SSL connection > by ACL requirements is not yet supported. > > Regards > Henrik > >
