On 16/04/20 1:23 pm, Michael Leikind wrote: > Greetings to the Squid community! > > I would like to get the recommendation on how to configure Squid (latest > version) with client SSL termination. > > The requirement is to provide proxy access to the internet for the > client who has no ability to install a custom CA certificate. > > Following the documentation here > <https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>, > it is possible to use HTTPS for the browser-proxy connection the same > way as HTTP. > > However, the only way to achieve that > <https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit> is > to use SSL Interception with self-signed CA certificate, which cannot > work in my case. > > Can someone please advise? > Clients *always* need a CA to trust TLS connections. But, there are two types of "client termination". Only intercepted traffic requires the CA private keys to be on the proxy - which is where the custom CA installation comes from. A TLS explicit proxy using TLS to receive traffic (HTTP, HTTPS and other) can use a normal server certificate signed by a global CA the clients *may* already trust. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
