On 21/04/20 11:08 am, Vieri wrote: > Hi, > > Is it possible to somehow combine the filtering capabilities of tproxy ssl-bump for access to https sites and the access control flexibility of proxy_auth (eg. kerberos)? Please see the FAQ: <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F> > > Is having two proxy servers in sequence an acceptable approach, or can it be done within the same instance with the CONNECT method? > > My first approach would be to configure clients to send their user credentials to an explicit proxy (Squid #1) which would then proxy_auth via Kerberos to a PDC. ACL rules would be applied here based on users, domains, IP addr., etc. > > The http/https traffic would then go forcibly through a tproxy ssl-bump host (Squid #2) which would basically analyze/filter traffic via ICAP. Why bother with the second proxy at all? The explicit proxy has access to all the details the interception one does (and more - such as credentials). It should be able to do all filtering necessary. TPROXY and NAT are for proxying traffic of clients which do not support HTTP proxies. They are hugely limited in what they can do. If you have ability to use explicit-proxy, do so. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
