Search squid archive

Re: auth_param tls? limiting proxy access based on client TLS authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/14/20 1:53 PM, Bob Rich wrote:

> 1 - Run TLS on the proxy listener.  This would use https_port directive
> and would require that we are able to configure the proxy to mandate
> client certificates before allowing the connection to complete.  Clients
> with no/invalid certificates wouldn't even get to the point where they
> can send a request to the proxy.

Yes, this is how certificate-based authentication is usually done with
Squid. There are large Squid deployments using this mechanism. It is
also the most secure method of using a proxy...

    https_port 3443 clientca=auth.pem tls-cert=squid.pem ...

The biggest problem with this approach is being able to configure
clients to use an HTTPS proxy (as opposed to using an HTTP proxy for
HTTPS traffic). Popular browsers support HTTPS proxies (but may require
PAC-based configuration to enable that support[1]). Many clients do not
support HTTPS proxies.

[1] Look for "HTTPS proxy" at
https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file

Please note that one cannot combine SslBump and certificate-based client
authentication on the same port (yet?).

BTW, the other two options for certificate-based authentication that you
were thinking about will not work out of the box, for various reasons.


HTH,

Alex.


> 2 - Use ssl-bump functionality to modify the TLS handshake that occurs
> after a CONNECT request to require a valid client certificate before
> completing the request.  No idea if this is possible.
> 
> 3 - Use either of the above to establish the mutually authenticated TLS
> context and then surface that information through ICAP to offload the
> authorization decision.
> 
> I've been able to get ssl-bump working to generate custom certs and I
> have Squid talking to c-icap. I haven't successfully got Squid to prompt
> the client to authenticate and I still have quite a bit of learning to
> do on the ICAP side.
> 
> Thanks in advance for any steers (including 'this is a terrible idea' of
> course :)
> 
> Lastly I haven't used gmail with a mailing list before.  Let me know if
> i've stomping on some etiquette.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux