Search squid archive

Re: Mutual TLS for the upstream example

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Can we try to understand the issue again?

 

In this setup, should squid know about the client certificate and pass it to the service  backend

Or maybe just terminate the clients certificate?

 

I am not sure I understood what you need/want to do with squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd@xxxxxxxxx

Zoom: Coming soon

 

 

From: Sergey Maslyakov <evolvah@xxxxxxxxx>
Sent: Friday, January 15, 2021 1:38 AM
To: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Mutual TLS for the upstream example

 

Thank you, Eliezer! I will look into it but it appears that the underlying problem is not solvable by design of the mTLS handshake... There are corner cases that can be solved but not the original issue.

 

 

On Thu, Jan 14, 2021 at 2:39 PM Eliezer Croitoru <ngtech1ltd@xxxxxxxxx> wrote:

I don’t know about Squid but I assume varnish has this feature:

https://docs.varnish-software.com/varnish-cache-plus/features/backend-ssl/

 

If you just need a GW without caching it should work as expected.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd@xxxxxxxxx

Zoom: Coming soon

 

 

From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Sergey Maslyakov
Sent: Thursday, January 14, 2021 9:41 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Mutual TLS for the upstream example

 

Folks,

 

Is the CONNECT tunnel designed in a way that enables it to "enrich" the outgoing connection with mTLS authentication? "tls_outgoing_options" does not seem to work the way I was hoping it does.

 

My destination server requires mTLS authentication of the client. I have a valid key-cert pair and I can successfully execute a "curl" command to fetch a document from that server using the key-cert pair at hand.

 

I want to put Squid between my clients (Maven, Gradle, Docker Engine, etc) and the server so that clients would be configured to use the instance of Squid as an HTTPS proxy but would not have to be configured with the mTLS key-cert pair.

 

Here is how I see it:

 

Maven --- (HTTPS/CONNECT) ---> Squid (stores my mTLS key-cert pair) --- (mTLS/SSL) ---> Server

 

Is this doable within Squid architecture?

 

I got it working using NGINX with some minor hiccups and I was hoping I can do it more elegantly with Squid.

 

 

Thank you,

/Sergey

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux