Re: [squid-users] explicit forward proxy to server requring client authentication
>> 18.05.16 3:11, Robert W Weaver пишет: >>> The issue is I need to connect to a site that requires client >>> authentication. Don't want to put the key and cert on each individual >>> user, so instead want the key and cert on the proxy. >>> Diagram: >>> User A ---> Squid S ---> Server B >>> ^^ >>> |+-- TLS client authentication >>> +-- cleartext okay On Wed, 18 May 2016 17:48:26 +1200, Amos Jeffrieswrote: > On 18/05/2016 10:05 a.m., Yuri Voinov wrote: >> >> . and a bit below in squid.conf.documented we can see. >> >> # SSL OPTIONS >> # >> - >> >> # TAG: sslproxy_client_certificate >> #Client SSL Certificate to use when proxying https:// URLs >> #Default: >> # none >> >> # TAG: sslproxy_client_key >> #Client SSL Key to use when proxying https:// URLs >> #Default: >> # none >> >> Ta-d! > > You are the one getting it wrong here Yuri :-( I am celebrating Yuri's ta dah. The clue to squid.config.documented was crucial, and the specific hint to sslproxy_client_* was what was missing. From S to B is now working properly. Squid is now in the middle, and is performing authentication to server B properly. > * clientca= is for listening ports. He wants that conectio to be cleartext. > * sslproxy_* directives are for generic DIRECT connections. He wants a > specific proxy<->server connection to be TLS authenticated. > For the S<->B connection to use client certificates. cert= and key= on > the cache_peer directive defining that link are correct. > But there are twe other details that need to happen for it to work: > * the server actually challenge for the proxies 'client' cert, and > * the server trust the CA which signed that cert. This is happening. I'd generated a CSR and had the CA that is the "owner" of server B sign it for me. We are cool. > The world of "not working" is a very big place. We need more details of > *how* its not working in order to have any guideposts towards what the > problem actually is. As Yuri used to say a lot, my psychic friend is on > holiday. It is now working to an acceptable point, although there is an enhancement that would be nice. Right now, 1. A connects to S, requests https://B/some/image.png 2. S connects to B over TLS, performs client authentication, gets /some/image.png (or pulls from cache) 3. A converts to TLS to S, pulls down data. This is fine, its just that there is an unnecessary encrypt/decrypt between A and S. The connection is inside a controlled data center (on the same switch, perhaps on the same ESX host) so I'm not concerned about security -- not to mention the cached data isn't especially sensitive. So this last bit is just an enhancement, a nice to have. Its the opposite of SSL termination for accelerators, so I suspect its possible, just don't know how to do it. Coffee (or a favorite beverage) all around! --woody -- Doubt is not a pleasant condition, but certainty is absurd. -- Voltaire ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] explicit forward proxy to server requring client authentication
On 17.05.16 17:11, Robert W Weaver wrote: The issue is I need to connect to a site that requires client authentication. Don't want to put the key and cert on each individual user, so instead want the key and cert on the proxy. Diagram: User A ---> Squid S ---> Server B ^^ |+-- TLS client authentication +-- cleartext okay I'm able to bump, but the client authentication to server B isn't working. ...of course it's not working. When you bump a connection, you are effectively doing the MITM attack. The client talks to a proxy and the proxy talks to a server. Squid can't use clients' certificate because it does not have the clients' private key (the whole point of SSL is to avoid these situations) SSL authentication can work between client and proxy, and another one between proxy and the server. If you have certification authority, you can create fake clients' key and authenticate with it, but the server (site) must accept your authority. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] explicit forward proxy to server requring client authentication
On 17.05.16 18:10, zodyo wrote: I have same problem here, client cant login to a server with auth like LDAP via transparent/static squid. i have try with lusca and the newer squid 3.5.17 how can this be the same problem? It's very different problem. when talking about "transparent" proxy, you apparently mean "intercepting" proxy - client tries to connect to a server, but the connection is redirected to proxy. Now, the client can _not_ log onto a proxy, if it believes it connects to the server, not to the proxy - it does not know there's a proxy. You must configure proxy (explicitly, or using WPAD protocol) if you want your clients to authenticate on them. Or, you must use out-of-band authentication protocol (external program that will check who is the client, e.g. who is logged on the client computer. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] explicit forward proxy to server requring client authentication
Dear all, I have same problem here, client cant login to a server with auth like LDAP via transparent/static squid. i have try with lusca and the newer squid 3.5.17 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/explicit-forward-proxy-to-server-requring-client-authentication-tp4677617p4677621.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] explicit forward proxy to server requring client authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 PS. I read the manual out loud. With an expression. Expensive. :-!:-D 18.05.16 3:11, Robert W Weaver пишет: > Greetings, squid users and devs, > > I think this is usual, but I can't find examples, and I can't make it work. :-) > > The issue is I need to connect to a site that requires client authentication. Don't want to put the key and cert on each individual user, so instead want the key and cert on the proxy. > > Diagram: > > User A ---> Squid S ---> Server B > ^^ > |+-- TLS client authentication > +-- cleartext okay > > I'm able to bump, but the client authentication to server B isn't working. Configured cert and key on S with ssl-bump cert= .. key= .. but that isn't working. > > Is this not possible? > > --woody > > > /-- > "I used to wish the universe were fair. Then one day it hit me: What if > the universe were fair? Then all the awful things that happen to us in > life, would happen because we deserved them. So now I take great pleasure > in the general hostility and unfairness of things." > -- Marcus, on Babylon 5/ > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXO5YKAAoJENNXIZxhPexGnoQIAKZMTM+BM0OFepgUf6EiegYc /ppZf32vaoQllYwDO9osOXJaQ9CoViOIIWLyd5G+IkoDFN8H2wXLxOe2T7BGH6+Q 13x4LvBX7ul5y4ESwsnJFrWg7WbhwjXkQs4peLmgNsAj6KiSlLP0cVYU7fQy2qXj AY0seun4L7UszCNV25hrjbVZGT2qGTyELIFXKwj42vTBx56sMBF5+NcYEDNYPUFF whh0ykM0VKaoy/LN5JDsFqeb7FkMOEtwEa3dPvtv8xgUTidQiBXqKVIyGCmXcoib Dv5ONhsjMEES3eh70yxpkQFJd2OoGCpp+kOBxX6ZCgl+iwofWbdRc6NoIqgdJbY= =27Xu -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] explicit forward proxy to server requring client authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 . and a bit below in squid.conf.documented we can see. # SSL OPTIONS # - # TAG: sslproxy_client_certificate #Client SSL Certificate to use when proxying https:// URLs #Default: # none # TAG: sslproxy_client_key #Client SSL Key to use when proxying https:// URLs #Default: # none Ta-d! 18.05.16 3:11, Robert W Weaver пишет: > Greetings, squid users and devs, > > I think this is usual, but I can't find examples, and I can't make it work. :-) > > The issue is I need to connect to a site that requires client authentication. Don't want to put the key and cert on each individual user, so instead want the key and cert on the proxy. > > Diagram: > > User A ---> Squid S ---> Server B > ^^ > |+-- TLS client authentication > +-- cleartext okay > > I'm able to bump, but the client authentication to server B isn't working. Configured cert and key on S with ssl-bump cert= .. key= .. but that isn't working. > > Is this not possible? > > --woody > > > /-- > "I used to wish the universe were fair. Then one day it hit me: What if > the universe were fair? Then all the awful things that happen to us in > life, would happen because we deserved them. So now I take great pleasure > in the general hostility and unfairness of things." > -- Marcus, on Babylon 5/ > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXO5W9AAoJENNXIZxhPexG94UH/AvnmThl9LLLY8WN61iYpMNl YxemSMMLgw6OkDSuZvZ9m/IW2ErjqYwCgAaRRj8HFeswFYTpEgMz/gRB84JjvZ7k xY+e2HRPXlFbwiWf/QxU9F5RjRpn3aAE+6Eh2mlae7WKPwcFUFbOmDy2fZOd+/B5 SIFYGnNtySFu7yQt4awIBlSPc0piEAZFn7+Wwis7NenRcsugkOO2hfCG95Yj3Htm 7OCvlBZvh/sDY4yguFgFNlDYt/0ux6LmTrkGHrNRgWWgtqesRdLSg2cAG+Xoh/ns IILv3YSiTB9l8b80o3Jlp0dIPU0Y6d6B2ZBvVW9HOzXCI8uswYqIKGTT6qiBZSI= =uzzn -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] explicit forward proxy to server requring client authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 18.05.16 3:11, Robert W Weaver пишет: > Greetings, squid users and devs, > > I think this is usual, but I can't find examples, and I can't make it work. :-) > > The issue is I need to connect to a site that requires client authentication. Don't want to put the key and cert on each individual user, so instead want the key and cert on the proxy. > > Diagram: > > User A ---> Squid S ---> Server B > ^^ > |+-- TLS client authentication > +-- cleartext okay > > I'm able to bump, but the client authentication to server B isn't working. Configured cert and key on S with ssl-bump cert= .. key= .. but that isn't working. Because these parameters is for bump, from squid to server. Not for client certificate. > > Is this not possible? You doing it wrong. When we read squid.conf.documented, a bit below we can see: # clientca=File containing the list of CAs to use when #requesting a client certificate. # > > --woody > > > /-- > "I used to wish the universe were fair. Then one day it hit me: What if > the universe were fair? Then all the awful things that happen to us in > life, would happen because we deserved them. So now I take great pleasure > in the general hostility and unfairness of things." > -- Marcus, on Babylon 5/ > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXO5T2AAoJENNXIZxhPexGzrwH/2Sk8ins4kzXjWX55mvE10nh HSd4T5e4inQihmPlV6xPB/+HugHcBU1Zuxi9Mmy/BuvB1axMW7BRfC+COSenxpaI 4eekoPx4ndlW7s6vxkzlnHIfjgI0Y0TLYL3/f+15DdlXfduqai17GHT58t3yrhO7 GnskQVYrQ7Rje2MzmQ/bfmEBZjGRFYFbwnceCnkXxG1P42aBqLF0GLuuHhKAbsEm IGnfkXlvhmlTsG3i4+ZDaVRku6QzsChpp1hjAkF+slZJ3IogTq5Dgym3kbnQXrYE 2Jjqrri3Stw7xWRheVFF4JlMtgii3HzSCMGcsdON9WpGvDRvOu+wwPNxBWXUtGE= =uJQV -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users