Re: [squid-users] "Proxying" a client certificate from Amos Jeffries on 2010-05-18 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 19 May 2010 03:28:28 +1200

Peter Vereshagin wrote:
> You can leave your hat on, apmailist!
>
> You are asking about man-in-the-middle ( mitm ) technique for proxying.
> Squid is known to be uncapable of this: it does not parse the SSL requests. It
> can proxify them as a vanilla sockets via the HTTP CONNECT method.
> I use to implement sich a thing for myself with a set of methods, but the
> common choice is: cgi kind of the proxy that is running on the hosting
> and the specialized software capable of mitm for https, like the nginx
> For the first case, you should dig into the corresponding libraries, like
> Net::SSLeay in the case you cgiproxy is made in perl. I myself even not sure if
> Net::SSLeay is capable to verify SSL via the CAs list. Probably Curl handles
> this better.
> For the second case, I've already requested this as a feature for nginx. ( I
> did not request x.509 pki feature yet though; only the CAs and CRLs lists to
> be possible to supply for nginx's proxy_pass directive ). But anyway: nginx
> isn't about to support the CONNECT method like squid does. So you may want to
> use the squid with the fake resolver to be able to use your nginx as an https
> mitm proxy ;-)
> You may find such a code helpful for this:
> http://gitweb.vereshagin.org/fcgiproxy There are the config samples somewhere
> inside.

Calm down. The request is for a forward proxy. Where CONNECT works.

apmailist:
the configuration is the same for reverse-proxy to its web server as
for a forward proxy to a specific remote site. (in theory you are
reverse-proxying the HTTPS access to that site).
configure squid with a cache_peer using SSL options and the client
cert. Set your client browsers as normal to use the proxy.

>
> 2010/05/18 15:40:31 +0200 apmailist_at_free.fr => To squid-users_at_squid-cache.org :
>> Hello,
>>
>> I'm about to ask a daft question, maybe.
>> Several proxy clients Will need to access a website that requires a
>> client certificate. In order to avoid deploying this certificate on
>> each client, we would like to install the certificate on squid so it
>> can pass it to the web server.
>> Is this technically possible ?
>> This is maybe a security breach.
>> All the info I found relate to certificates and reverse proxies.
>>
>> Thank you
>>
>> Andrew
>
> 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627)

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.3

Received on Tue May 18 2010 - 15:28:42 MDT

This archive was generated by hypermail 2.2.0 : Wed May 19 2010 - 12:00:06 MDT