-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 05.05.16 19:19, Amos Jeffries пишет: > On 6/05/2016 1:06 a.m., Ser de Bronce wrote: >> Dear Amos and Yuri, thanks a lot for your answers. >> >> Sorry for the mess, I'm novice here. >> As it turned out my proxy is not transparent... >> >> By "some reasons" I meant clients' experience reasons, let me explain. >> >> I use explicit proxy and my clients connect to proxy using iPhone only. >> I installed self-signed certificate on every iPhone and made login/pass >> authentication. >> It works perfect for wi-fi connection, because in this case iPhone gives a >> possibility to specify proxy domain, port, login and password. >> However to make them connect to proxy using mobile internet I had to >> install APN profile on each iPhone. Inside APN profile I can specify domain >> and port, but not login and pass (APN doesn't have such settings). So when >> client opens browser using mobile internet he is asked for login/pass every >> time. This situation is not appropriate for me so I can't use login/pass. >> >> I'm thinking that maybe it's possible to replace login/pass authentication >> with certificate authentication. >> I want to authenticate users using a digital certificate they already have >> on their iPhone. >> >> I found some articles about certificate authentication for reverse proxy, >> but can't find anything about explicit one. >> Is it possible? > > Squid can listen on an https_port for connections. The TLS settings to > challenge for client cert are the same for explicit proxy as you would > find for reverse-proxy. > > What you will also find however is that browsers do not do TLS to > proxies, or if they do not without jumping through some other hoops > which are browser dependent. > > IIRC; > * Chrome requires that it is started with certain command line options, > AND that a PAC file is used with https:// URI for the proxy detail. > > * Firefox requires that PAC file are used with https:// URI for the > proxy detail AND limits the protocol spoken to those proxy to HTTP/2. In my personal opinion, that everywhere for the crazy idea to push HTTPS - and where it is necessary and where it is not necessary. If a hammer - everything looks like a nail. > > > * Safari and IE - seem not to support TLS proxy at all yet AFAIK. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXK1JLAAoJENNXIZxhPexGW/MIAM0aKjIOY4/3o8iYisQIQQjX e10w0d7ygLbX4cHabzURwcR5J1qaoPE1VnK5tugybsEBUYLdj4EMRQ/FEqUIhC/+ aWodGOWneZ8QEFh7U+56g+fZLzUolbtJidjl/9JwmB8iWKSNgffLEgrTG3GIh4Jt o7AfkqNejKqyaSio0iY1QygqI+LKBUVTpPdQIQ4950Ulql+rN55k7mktia04ZC35 bxM3p060aE5SG6YmEqjxOi1mAceMW1SmAESMKAN/GzuRc3CK4TUzqlXcxfScLEwQ Il6HH0r+ovh19cj5dBZIVAS3cVgK1zvdsVREoZ4HUJIS/0n3dDUgbnP3hpXvGtI= =2GpD -----END PGP SIGNATURE-----
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
