Re: [squid-users] Client-Side Certificates at the Directory Level?

From: <techguy005-ml@dont-contact.us>
Date: Wed, 12 Sep 2007 16:41:41 -0700 (PDT)

I am utilizing Squid 2.6-13 in a reverse-proxy
configuration.

I have an application on a web server that requires
client side certificates that is fronted by the Squid
proxy. One of the properties of a client-side
certificate is the serial number.

Question #1

Even if I installed the client-certificate's CA on the
Squid proxy for it to validate the certificate, there
is no way for Squid to then pass on the request to the
back-end web server with the client-side certificate.
In essence, the certificate presented by the client to
Squid is lost in translation as the back-end web
server never sees it because Squid makes its own
connection on behalf of the initial request but
WITHOUT the client-certificate. Correct?

Question #2

In a reverse-proxy set-up, the requests sent to the
back-end web server fronted by the Squid proxy will
ALWAYS appear with the source IP of the Squid proxy
server, NOT the client IP. Correct? Is there no way
to change this so it appears to come from the client's
IP rather than Squid.

I appreciate the assistance. Thanks!

--- Henrik Nordström <henrik@henriknordstrom.net>
wrote:

> mån 2007-09-10 klockan 10:13 -0700 skrev
> techguy005-ml@yahoo.com:
>
> > In a Squid reverse proxy configurations, in order
> to
> > use client certificates, the respective CA signer
> of
> > the client-side certificates must be installed on
> the
> > Squid server (not the web server) level so the
> > end-user get challenged to present a client-side
> > certificate by Squid instead of by the web server.
>
> > Correct?
>
> Correct.
>
> > Can Squid be configured to define client-side
> > certificate requirements at the DIRECTORY level
> (like
> > the aforementioned "/ClientCertRequred/") or does
> the
> > requirements have to be set based on the web site
> as a
> > whole (i.e. "www.whatever.com")?
>
> Currently it's per https_port only. Renegotiation of
> the SSL connection
> by ACL requirements is not yet supported.
>
> Regards
> Henrik
>
>
Received on Wed Sep 12 2007 - 17:42:13 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:02 MDT