Re: [squid-users] auth_param tls? limiting proxy access based on client TLS authentication

Fri, 13 Nov 2020 19:33:28 -0800 

On 14/11/20 8:30 am, Bob Rich wrote:


I've got squid configured as an old-school explicit forward proxy.


I would like to limit access through the proxy to only those clients 
that authenticate either to an HTTPS proxy listener or via client auth 
injected into a CONNECT request to the origin server.  Please note that 
in this use case the origin server is not expecting TLS auth in any 
way.  This is just being used initially to prevent unauthenticated 
clients from using the proxy.




You seem to have been confused by the presence of TLS / HTTPS.


From your description it appears that the clients are talking to Squid 
using HTTP. Any authentication they send to Squid has to be using HTTP 
Authentication. Which is validated by the auth_param helper and 
proxy_auth ACL type.

 <https://wiki.squid-cache.org/Features/Authentication>



To a regular forward-proxy a CONNECT request is an instruction to open a 
TCP tunnel to the origin. There is no way to pass authentication 
credentials in a TCP SYN packet. So the origin will not be aware of 
*which* client authenticated.



However, the way you described your requirement implies that the origin 
does not need the credentials anyway. It is only the proxy which cares 
about auth to decide whether to relay or block a client.





Ideally we would be able to base access control on information derived 
from subject DN or other attributes in the certificate, but I'm just 
aiming for basic functionality right now.





That requires a completely different design for the proxy architecture. 
One which has no relation to HTTP authentication at all.




If you really want this TLS certification to be the primary access for 
clients I think it better to concentrate on getting that design working, 
then add any HTTP auth as a backup later.





I built 4.13 locally on Ubuntu and as far as I can tell all of the other 
SSL features are working (ssl_bump, generate-host-certificates, etc)


Thanks in advance for any advice!




Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to