Squid proxy configuration for client SSL termination

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid proxy configuration for client SSL termination

Michael Leikind

Greetings to the Squid community!

I would like to get the recommendation on how to configure Squid (latest version) with client SSL termination.

The requirement is to provide proxy access to the internet for the client who has no ability to install a custom CA certificate.

Following the documentation here, it is possible to use HTTPS for the browser-proxy connection the same way as HTTP.

However, the only way to achieve that is to use SSL Interception with self-signed CA certificate, which cannot work in my case.

Can someone please advise?

Thank you!


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy configuration for client SSL termination

Amos Jeffries
Administrator
On 16/04/20 1:23 pm, Michael Leikind wrote:

> Greetings to the Squid community!
>
> I would like to get the recommendation on how to configure Squid (latest
> version) with client SSL termination.
>
> The requirement is to provide proxy access to the internet for the
> client who has no ability to install a custom CA certificate.
>
> Following the documentation here
> <https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>,
> it is possible to use HTTPS for the browser-proxy connection the same
> way as HTTP.
>
> However, the only way to achieve that
> <https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit> is
> to use SSL Interception with self-signed CA certificate, which cannot
> work in my case.
>
> Can someone please advise?
>

Clients *always* need a CA to trust TLS connections.

But, there are two types of "client termination".  Only intercepted
traffic requires the CA private keys to be on the proxy - which is where
the custom CA installation comes from.


A TLS explicit proxy using TLS to receive traffic (HTTP, HTTPS and
other) can use a normal server certificate signed by a global CA the
clients *may* already trust.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users