Peter Vereshagin wrote:
You can leave your hat on, apmailist!
You are asking about man-in-the-middle ( mitm ) technique for proxying.
Squid is known to be uncapable of this: it does not parse the SSL requests. It
can proxify them as a vanilla sockets via the HTTP CONNECT method.
I use to implement sich a thing for myself with a set of methods, but the
common choice is: cgi kind of the proxy that is running on the hosting
and the specialized software capable of mitm for https, like the nginx
For the first case, you should dig into the corresponding libraries, like
Net::SSLeay in the case you cgiproxy is made in perl. I myself even not sure if
Net::SSLeay is capable to verify SSL via the CAs list. Probably Curl handles
this better.
For the second case, I've already requested this as a feature for nginx. ( I
did not request x.509 pki feature yet though; only the CAs and CRLs lists to
be possible to supply for nginx's proxy_pass directive ). But anyway: nginx
isn't about to support the CONNECT method like squid does. So you may want to
use the squid with the fake resolver to be able to use your nginx as an https
mitm proxy ;-)
You may find such a code helpful for this:
http://gitweb.vereshagin.org/fcgiproxy There are the config samples somewhere
inside.
Calm down. The request is for a forward proxy. Where CONNECT works.
apmailist:
the configuration is the same for reverse-proxy to its web server as
for a forward proxy to a specific remote site. (in theory you are
reverse-proxying the HTTPS access to that site).
configure squid with a cache_peer using SSL options and the client
cert. Set your client browsers as normal to use the proxy.
2010/05/18 15:40:31 +0200 apmailist@xxxxxxx => To squid-users@xxxxxxxxxxxxxxx :
Hello,
I'm about to ask a daft question, maybe.
Several proxy clients Will need to access a website that requires a
client certificate. In order to avoid deploying this certificate on
each client, we would like to install the certificate on squid so it
can pass it to the web server.
Is this technically possible ?
This is maybe a security breach.
All the info I found relate to certificates and reverse proxies.
Thank you
Andrew
73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627)
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.3