On 4/05/2016 11:20 p.m., Ser de Bronce wrote: > Hi there, > > > Maybe someone already knows any solution: > > > I have transparent proxy and according to some reasons I can’t use > login/password authentication. However I still need to control who can > access my proxy. > > > I can install certificates to my users. Is it possible to allow connection > only if a user has the certificate issued by my CA? You seem not to quite understand what the "some reasons" actually are. If you did you would not have to ask. Firstly, there is only one reason behind it all. The reason is that the client thinks it's talking to some service that is *not your proxy*. That is very important. Secondly, there is one criteria that determines what works and what fails. That criteria is "authentication". Specifically in-band authentication. Any type of in-band authentication WILL fail. Any type. Not just passwords. TLS client certificate is just another type of in-band authentication. * Which answers your question: No. It wont work the way you want. If you can install certificates that easily. Then surely you can just as easily assign explicit proxy settings. Doing that would avoid all the issues with interception. Also, Think about all the passive details / metadata you get from the client traffic and how you can use it to authorize access without actively engaging the client across the intercepted connection. There are quite a lot of things you can do. Methods like RADIUS or DHCP assigned IP addresses. Static IPs, or MAC address registrations a proxy external ACL helper can lookup to identify the client account. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
