On 9/20/22 00:53, Mark Schenk wrote:
We have a use case in which we need to do mutual TLS with an upstream server. Our internal services are using their own certificates, and we would like to use the SQUID proxy as a kind of gateway to which we send requests for the upstream server. The squid proxy will verify the incoming certificate and if correct, replace it by a certificate that is appropriate for the upstream server. I'm wondering whether this is possible with squid. I have been looking into ssl-bump of squid but couldn't get it working.
I see nothing in your description that would require SslBump. You seem to be describing a reverse proxy for an HTTPS service with certificate-based authentication. The certificates you are talking about sound like client certificates. Squid supports those.
Has anybody any experience with mutual authentication and squid ?
I would start with a basic https_port and TLS cache_peer combo: # Squid pretends to be an HTTPS service listening on port 443 # and requiring client certificates https_port 443 accel cert=... tls-cafile=... ... # Squid forwards (all? some?) requests to the real HTTPS service # that requires client certificates cache_peer ... parent 443 0 no-query originserver tls sslcert=... ... hierarchical_direct off never_direct allow ... HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users