On 11/14/20 1:53 PM, Bob Rich wrote: > 1 - Run TLS on the proxy listener. This would use https_port directive > and would require that we are able to configure the proxy to mandate > client certificates before allowing the connection to complete. Clients > with no/invalid certificates wouldn't even get to the point where they > can send a request to the proxy. Yes, this is how certificate-based authentication is usually done with Squid. There are large Squid deployments using this mechanism. It is also the most secure method of using a proxy... https_port 3443 clientca=auth.pem tls-cert=squid.pem ... The biggest problem with this approach is being able to configure clients to use an HTTPS proxy (as opposed to using an HTTP proxy for HTTPS traffic). Popular browsers support HTTPS proxies (but may require PAC-based configuration to enable that support[1]). Many clients do not support HTTPS proxies. [1] Look for "HTTPS proxy" at https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file Please note that one cannot combine SslBump and certificate-based client authentication on the same port (yet?). BTW, the other two options for certificate-based authentication that you were thinking about will not work out of the box, for various reasons. HTH, Alex. > 2 - Use ssl-bump functionality to modify the TLS handshake that occurs > after a CONNECT request to require a valid client certificate before > completing the request. No idea if this is possible. > > 3 - Use either of the above to establish the mutually authenticated TLS > context and then surface that information through ICAP to offload the > authorization decision. > > I've been able to get ssl-bump working to generate custom certs and I > have Squid talking to c-icap. I haven't successfully got Squid to prompt > the client to authenticate and I still have quite a bit of learning to > do on the ICAP side. > > Thanks in advance for any steers (including 'this is a terrible idea' of > course :) > > Lastly I haven't used gmail with a mailing list before. Let me know if > i've stomping on some etiquette. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users