Search squid archive

Re: Squid proxy as outgoing gateway

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/20/22 00:53, Mark Schenk wrote:

We have a use case in which we need to do mutual TLS with an upstream server. Our internal services are using their own certificates, and we would like to use the SQUID proxy as a kind of gateway to which we send requests for the upstream server. The squid proxy will verify the incoming certificate and if correct, replace it by a certificate that is appropriate for the upstream server. I'm wondering whether this is possible with squid. I have been looking into ssl-bump of squid but couldn't get it working.

I see nothing in your description that would require SslBump. You seem to be describing a reverse proxy for an HTTPS service with certificate-based authentication. The certificates you are talking about sound like client certificates. Squid supports those.


Has anybody any experience with mutual authentication and squid ?

I would start with a basic https_port and TLS cache_peer combo:

  # Squid pretends to be an HTTPS service listening on port 443
  # and requiring client certificates
  https_port 443 accel cert=... tls-cafile=... ...

  # Squid forwards (all? some?) requests to the real HTTPS service
  # that requires client certificates
  cache_peer ... parent 443 0 no-query originserver tls sslcert=... ...
  hierarchical_direct off
  never_direct allow ...


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux