On 17/02/2015 3:16 a.m., Martin Fuchs wrote: > Hi ! > > > > I'm looking for a possibility to tell squid to pass a certificate presented > by the client to a cache peer. > > Since i did not find anything, i decided to ask here ;-) > > I saw that it's possibe to let squid pass a client crtificate tot he cache > peer, but this would not work for out purposes. > > > > It's an apple mobile device management system which needs to authenticate > the clients by their certificates. > > Does anyone have apple remote profile-management running thru a > reverse-proxy with squid ? Reverse proxy terminate the HTTPS connection. The client cert only applies to validate the connection between client and Squid, and Squid does not have the clients private key needed to encrypt traffic from that client. There is splice mode in 3.5. Which is to say "dont bump that traffic". The proper setup is for the proxy to have a cert representing itself which it uses to validate the HTTPS with backend service. But I dont know enough about the Apple system to say if that works like its supposed to or if they are tying the cert to what data is accessible. > > This dirctive alone does not work: > > cache_peer xx.xx.xx.xx parent 443 0 proxy-only no-query no-digest > originserver login=PASSTHRU ssl sslflags=DONT_VERIFY_PEER front-end-https=on > name=MDM_HOST_443 PS. DONT_VERIFY_PEER is evil. It basically tells Squid not to care what the encryption is doing on the connection. You may as well be using plain-text for all the security offers now. The correct configuration is to have the remote peers CA (and CA chain) configured as trusted for this peer. Adding that CA to the system trusted CA set works but is risky, adding it just for those connections with cache_peer sslcafile=/sslcapath= option is best. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
