Hello list, In my network I have a Microsoft TMG proxy server for http(s) access to internet. This TMG server also serves as a reverse proxy to channel incoming traffic to a Squid reverse proxy in the internal network (yes, two reverse proxies in a line) This Squid server is currently configured as a reverse proxy to allow traffic from internet to a number of webservices that run on an internal server. Now I want to add a function to the squid server, in addition to the existing function. It should serve as a proxy to allow a client on the internal network to access a web servoce on internet. So, put simply, the traffic goes like this: Internal client -> Squid Proxy -> TMG proxy -> internet webservice The reason to use this configuration is because the internet webservice requires a client certificate for authentication, and TMG is not able to handle this. So now I am trying to configure this on my Squid server. I wish to make my configuration as restrictive as possible. But I am new to the Squid configuration, and I could use some help. So basically, I want the following: 1. The client makes a http connection to my Squid proxy 2. The Squid proxy initiates the client certificate authenticated connection to the internet webservice 3. The connection from the Squid proxy to Internet uses the TMG proxy. I do not wish to use any form of caching on my Squid server. I considered using a configuration similar to my reverse proxy configuration, using the following structure: (this configuration works) ===================== # Designate a port and SSL config for this specific webservice # Local server IP is 192.168.0.1, traffic comes in through the TMG https_port 192.168.0.1:1443 accel defaultsite=webservice.exposed.address.com vhost <SSL stuff> # enforce use of https acl webapp_SITES dstdomain webservice.exposed.address.com http_access deny HTTP webapp_SITES http_access allow webapp_SITES # Configure the reverse proxy for clients that connect to the external (exposed) address acl webapp_URL url_regex ^https://webservice.exposed.address.com cache_peer internal.server.lan parent 8080 0 no-query no-digest originserver login=PASS name=webservice_APP cache_peer_access webservice_APP allow webapp_URL cache_peer_access webservice_APP deny all ===================== So if I use this for my new purpose, I assume that the cache_peer would be the internet webservice address, and I could use the sslcert option to make it use the client certificate. Something like this: ===================== http_port 192.168.0.1:8080 accel defaultsite=squid.server.lan vhost acl webapp_URL url_regex ^http://squid.server.lan cache_peer webservice.somewhere.on.internet.com parent 8443 0 no-query no-digest originserver sslkey=/path/to/ssl/key name=webservice_APP cache_peer_access webservice_APP allow webapp_URL cache_peer_access webservice_APP deny all ===================== My client makes a direct connection to the squid proxy (http) and the squid proxy connects directly to the internet web service (https) and handles all the SSL stuff. However, this does not seem to work. I don't know how I can configure squid to still use the TMG proxy to access internet. In addition, I wonder if it is possible to limit access to this, and only this, specific proxy function to only 1 host. All other reverse proxy configurations on the server should be accessible to other clients. I hope someone could give me some advice... Thanks! Lucas _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
