Re: Squid proxy configuration for client SSL termination
On 16/04/20 1:23 pm, Michael Leikind wrote:
> Greetings to the Squid community!
> I would like to get the recommendation on how to configure Squid (latest
> version) with client SSL termination.
> The requirement is to provide proxy access to the internet for the
> client who has no ability to install a custom CA certificate.
> Following the documentation here
> it is possible to use HTTPS for the browser-proxy connection the same
> way as HTTP.
> However, the only way to achieve that
> <https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit> is
> to use SSL Interception with self-signed CA certificate, which cannot
> work in my case.
> Can someone please advise?
Clients *always* need a CA to trust TLS connections.
But, there are two types of "client termination". Only intercepted
traffic requires the CA private keys to be on the proxy - which is where
the custom CA installation comes from.
A TLS explicit proxy using TLS to receive traffic (HTTP, HTTPS and
other) can use a normal server certificate signed by a global CA the
clients *may* already trust.