On 17/02/15 11:34, Amos Jeffries wrote: > There is splice mode in 3.5. Which is to say "dont bump that traffic". If you have a reverse-proxy between a client and backend server and the backend server insists on seeing the client cert, then I think at best squid is simply a tcp forwarder (ie splice mode). It could be easier to put a xinetd-based forwarder in place or even to publish the backend onto the Internet directly. Basically squid can add nothing We're going through the same process with Microsoft's SCCM server. The agents use client certs, but we're hoping we can disable the requirement for client certs on the backend and get the DMZ "security portal" to do that check itself (as we trust patching our "security portal" more than patching Microsoft apps). However, that probably won't work and then we too will be basically doing a tcp forward... In all fairness, any HTTPS web server that is kept patched, and which requires validating client certs before even getting to the home page is an extremely hard target to hack. Irrespective of the security quality of the web application itself, if the bad guys can't actually interact with the web app (because they have no client cert), then their options are extremely limited -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
