Let Squid use SSL certificate for a parent cache peer

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Let Squid use SSL certificate for a parent cache peer

mariolatif741
Hello,

I have a Squid proxy server (proxy A) and I redirect all its traffic to
another proxy (proxy B) using a parent cache peer.

However, proxy B requires a SSL certificate to be used so it can intercept
the HTTPS requests and read them.

I want to specify the path of the CA certificate to Squid in proxy A so my
users can be redirected to proxy B without having to install the CA
certificate.

Is it possible?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Let Squid use SSL certificate for a parent cache peer

Amos Jeffries
Administrator
On 5/05/20 9:04 pm, mariolatif741 wrote:

> Hello,
>
> I have a Squid proxy server (proxy A) and I redirect all its traffic to
> another proxy (proxy B) using a parent cache peer.
>
> However, proxy B requires a SSL certificate to be used so it can intercept
> the HTTPS requests and read them.
>
> I want to specify the path of the CA certificate to Squid in proxy A so my
> users can be redirected to proxy B without having to install the CA
> certificate.
>
> Is it possible?

If the client is participating in the TLS handshake it *always* requires
the CA to be installed.


To use TLS on the connection between proxyA and proxyB:

  cache_peer proxyB parent 3128 0 tls-ca=/path/to/proxyB_CA.pem

Note that this is only to encrypt traffic between the proxies. When the
client is not involved.


To further improve security you should also use a client certificate for
proxyA and setup client cert validation between the proxies.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Let Squid use SSL certificate for a parent cache peer

mariolatif741
Since you said "If the client is participating in the TLS handshake it
*always* requires
the CA to be installed.", then I guess what I want to do is not possible.

Can I make Squid send the requests received from the client to the cache
peer? (so the cache peer would see the requests coming from the Squid server
and not from the client), I think if this is possible then it'd help in my
case.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Let Squid use SSL certificate for a parent cache peer

Antony Stone
On Tuesday 05 May 2020 at 11:48:12, mariolatif741 wrote:

> Since you said "If the client is participating in the TLS handshake it
> *always* requires the CA to be installed.", then I guess what I want to do
> is not possible.
>
> Can I make Squid send the requests received from the client to the cache
> peer? (so the cache peer would see the requests coming from the Squid
> server and not from the client), I think if this is possible then it'd
> help in my case.

What are you trying to achieve?

It sounds as though you want the client to talk to proxy A, which talks to
proxy B, which sends requests to the Internet, and you want to do content
inspection / filtering on proxy B.

What is the purpose of proxy A?

Regards,


Antony.

--
"Remember: the S in IoT stands for Security."

 - Jan-Piet Mens

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Let Squid use SSL certificate for a parent cache peer

Amos Jeffries
Administrator
In reply to this post by mariolatif741
On 5/05/20 9:48 pm, mariolatif741 wrote:
> Since you said "If the client is participating in the TLS handshake it
> *always* requires
> the CA to be installed.", then I guess what I want to do is not possible.
>
> Can I make Squid send the requests received from the client to the cache
> peer? (so the cache peer would see the requests coming from the Squid server
> and not from the client), I think if this is possible then it'd help in my
> case.

That is what peers are for. So yes - with the caveat that it is not
clear whether what you are calling "requests" are actually HTTP messages.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Let Squid use SSL certificate for a parent cache peer

mariolatif741
In reply to this post by Antony Stone
The purpose of proxy A is that its the proxy that will be given to my
clients. The purpose of all what I am doing is to let my clients use proxy B
indirectly through proxy A (so they can use proxy B without installing the
CA certificate)


Antony Stone wrote

> On Tuesday 05 May 2020 at 11:48:12, mariolatif741 wrote:
>
>> Since you said "If the client is participating in the TLS handshake it
>> *always* requires the CA to be installed.", then I guess what I want to
>> do
>> is not possible.
>>
>> Can I make Squid send the requests received from the client to the cache
>> peer? (so the cache peer would see the requests coming from the Squid
>> server and not from the client), I think if this is possible then it'd
>> help in my case.
>
> What are you trying to achieve?
>
> It sounds as though you want the client to talk to proxy A, which talks to
> proxy B, which sends requests to the Internet, and you want to do content
> inspection / filtering on proxy B.
>
> What is the purpose of proxy A?
>
> Regards,
>
>
> Antony.
>
> --
> "Remember: the S in IoT stands for Security."
>
>  - Jan-Piet Mens
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
> _______________________________________________
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Let Squid use SSL certificate for a parent cache peer

Antony Stone
On Tuesday 05 May 2020 at 12:21:19, mariolatif741 wrote:

> The purpose of proxy A is that its the proxy that will be given to my
> clients. The purpose of all what I am doing is to let my clients use proxy
> B indirectly through proxy A (so they can use proxy B without installing
> the CA certificate)

Won't work.

If you are doing HTTPS / SSL / TLS interception *at any point* in the chain
between the client and the real server, then the machine doing the
interception is going to have to generate a fake certificate for what it sends
back to the client (no matter whether that passes through an intermediate
proxy or not), therefore the client needs to have the fake CA certificate
installed in order to trust what it receives.

There is no way for the client to get the "real" certificate from the "real"
server if a machine in between intercepts and decrypts the communication.  If
there were, TLS security would be meaningless.

Regards,


Antony.

--
"Measuring average network latency is about as useful as measuring the mean
temperature of patients in a hospital."

 - St├ęphane Bortzmeyer

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Let Squid use SSL certificate for a parent cache peer

Amos Jeffries
Administrator
In reply to this post by mariolatif741
On 5/05/20 10:21 pm, mariolatif741 wrote:
> The purpose of proxy A is that its the proxy that will be given to my
> clients. The purpose of all what I am doing is to let my clients use proxy B
> indirectly through proxy A (so they can use proxy B without installing the
> CA certificate)
>

It sounds to me like you only need one proxy. Squid can listen on
multiple ports and treat traffic differently per-port.

If you do not want to (or cannot) install a custom CA on clients that is
fine. It just prevents you from using the SSL-Bump 'bump' action on the
TLS traffic from those clients. More than one proxy will not help with
that restriction.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users