On Monday 27 April 2020 at 23:44:41, Lei Wen wrote:
> The issue we are having right now is the certificate installed on the
> container is a self signed cert, we were trying to migrate this cert to a
> real trusted CA cert, or a Baltimore root cert.
That will not work for an intercepting ("transparent") proxy.
> I do notice that it is illegal for a trusted CA to issue official cert to
> squid because squid itself is man-in-the-middle, so Squid can only accept
> self signed cert and squid as root CA?
This is correct.
Squid is acting as a man-in-the-middle for *any* web request your users choose
to pass through it, therefore it has to present a certificate to their browser
which is valid for whatever domain they have requested.
In effect, it would need a wildcard certificate for the entire Internet.
No CA is going to give you that.
Regards,
Antony.
--
"How I managed so long without this book baffles the mind."
- Richard Stoakley, Group Program Manager, Microsoft Corporation,
referring to "The Art of Project Management", O'Reilly press
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
