Re: [squid-users] Let Squid use SSL certificate for a parent cache peer
On 5/05/20 10:21 pm, mariolatif741 wrote: > The purpose of proxy A is that its the proxy that will be given to my > clients. The purpose of all what I am doing is to let my clients use proxy B > indirectly through proxy A (so they can use proxy B without installing the > CA certificate) > It sounds to me like you only need one proxy. Squid can listen on multiple ports and treat traffic differently per-port. If you do not want to (or cannot) install a custom CA on clients that is fine. It just prevents you from using the SSL-Bump 'bump' action on the TLS traffic from those clients. More than one proxy will not help with that restriction. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Let Squid use SSL certificate for a parent cache peer
On Tuesday 05 May 2020 at 12:21:19, mariolatif741 wrote: > The purpose of proxy A is that its the proxy that will be given to my > clients. The purpose of all what I am doing is to let my clients use proxy > B indirectly through proxy A (so they can use proxy B without installing > the CA certificate) Won't work. If you are doing HTTPS / SSL / TLS interception *at any point* in the chain between the client and the real server, then the machine doing the interception is going to have to generate a fake certificate for what it sends back to the client (no matter whether that passes through an intermediate proxy or not), therefore the client needs to have the fake CA certificate installed in order to trust what it receives. There is no way for the client to get the "real" certificate from the "real" server if a machine in between intercepts and decrypts the communication. If there were, TLS security would be meaningless. Regards, Antony. -- "Measuring average network latency is about as useful as measuring the mean temperature of patients in a hospital." - Stéphane Bortzmeyer Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Let Squid use SSL certificate for a parent cache peer
The purpose of proxy A is that its the proxy that will be given to my clients. The purpose of all what I am doing is to let my clients use proxy B indirectly through proxy A (so they can use proxy B without installing the CA certificate) Antony Stone wrote > On Tuesday 05 May 2020 at 11:48:12, mariolatif741 wrote: > >> Since you said "If the client is participating in the TLS handshake it >> *always* requires the CA to be installed.", then I guess what I want to >> do >> is not possible. >> >> Can I make Squid send the requests received from the client to the cache >> peer? (so the cache peer would see the requests coming from the Squid >> server and not from the client), I think if this is possible then it'd >> help in my case. > > What are you trying to achieve? > > It sounds as though you want the client to talk to proxy A, which talks to > proxy B, which sends requests to the Internet, and you want to do content > inspection / filtering on proxy B. > > What is the purpose of proxy A? > > Regards, > > > Antony. > > -- > "Remember: the S in IoT stands for Security." > > - Jan-Piet Mens > >Please reply to the > list; > please *don't* CC > me. > ___ > squid-users mailing list > squid-users@.squid-cache > http://lists.squid-cache.org/listinfo/squid-users -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Let Squid use SSL certificate for a parent cache peer
On 5/05/20 9:48 pm, mariolatif741 wrote: > Since you said "If the client is participating in the TLS handshake it > *always* requires > the CA to be installed.", then I guess what I want to do is not possible. > > Can I make Squid send the requests received from the client to the cache > peer? (so the cache peer would see the requests coming from the Squid server > and not from the client), I think if this is possible then it'd help in my > case. That is what peers are for. So yes - with the caveat that it is not clear whether what you are calling "requests" are actually HTTP messages. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Let Squid use SSL certificate for a parent cache peer
On Tuesday 05 May 2020 at 11:48:12, mariolatif741 wrote: > Since you said "If the client is participating in the TLS handshake it > *always* requires the CA to be installed.", then I guess what I want to do > is not possible. > > Can I make Squid send the requests received from the client to the cache > peer? (so the cache peer would see the requests coming from the Squid > server and not from the client), I think if this is possible then it'd > help in my case. What are you trying to achieve? It sounds as though you want the client to talk to proxy A, which talks to proxy B, which sends requests to the Internet, and you want to do content inspection / filtering on proxy B. What is the purpose of proxy A? Regards, Antony. -- "Remember: the S in IoT stands for Security." - Jan-Piet Mens Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Let Squid use SSL certificate for a parent cache peer
Since you said "If the client is participating in the TLS handshake it *always* requires the CA to be installed.", then I guess what I want to do is not possible. Can I make Squid send the requests received from the client to the cache peer? (so the cache peer would see the requests coming from the Squid server and not from the client), I think if this is possible then it'd help in my case. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Let Squid use SSL certificate for a parent cache peer
On 5/05/20 9:04 pm, mariolatif741 wrote: > Hello, > > I have a Squid proxy server (proxy A) and I redirect all its traffic to > another proxy (proxy B) using a parent cache peer. > > However, proxy B requires a SSL certificate to be used so it can intercept > the HTTPS requests and read them. > > I want to specify the path of the CA certificate to Squid in proxy A so my > users can be redirected to proxy B without having to install the CA > certificate. > > Is it possible? If the client is participating in the TLS handshake it *always* requires the CA to be installed. To use TLS on the connection between proxyA and proxyB: cache_peer proxyB parent 3128 0 tls-ca=/path/to/proxyB_CA.pem Note that this is only to encrypt traffic between the proxies. When the client is not involved. To further improve security you should also use a client certificate for proxyA and setup client cert validation between the proxies. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Let Squid use SSL certificate for a parent cache peer
Hello, I have a Squid proxy server (proxy A) and I redirect all its traffic to another proxy (proxy B) using a parent cache peer. However, proxy B requires a SSL certificate to be used so it can intercept the HTTPS requests and read them. I want to specify the path of the CA certificate to Squid in proxy A so my users can be redirected to proxy B without having to install the CA certificate. Is it possible? -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
