Unfortunately the peeking only logs the fqdn and no subdirectories, which doesnt meet our logging requirements for security :(. It sounds like there isn't a way to have squid do both currently, I do appreciate the information though!
On Wed, Apr 28, 2021 at 12:40 PM Alex Rousskov < [email protected]> wrote: > On 4/27/21 6:23 PM, Justin Cook wrote: > > In this case we're not looking to authenticate the user themselves with > > the squid server but with the destination web server, does that change > > the scope? > > * If you do need to bump TLS connections: > > Yes, certificate authentication with an origin server is a different > problem. If Squid does not possess the client certificate key, then > Squid cannot both bump the TLS client connection (i.e. become the client > from the origin server point of view) and keep the old client from the > origin server point of view. > > In this case, this is not a technical limitation of the current Squid > implementation like "TLS inside TLS"; it is a protocol-level conflict > that no implementation can resolve. TLS design makes > faking/impersonating the authenticating client impossible without > leaking the client key to the proxy. > > If you can refactor so that the origin server trusts Squid instead of > the client, and Squid authenticates the TLS client, then we will be back > to the earlier "TLS inside TLS" problem (not to mention client > changes/complications), so this kind of refactoring is unlikely to be > the right way forward. > > > * If you only need to peek at TLS connections: > > You should be able to keep client certificate authentication. If Squid > cannot keep that while peeking at the TLS client or the origin server, > then there is a Squid bug somewhere. > > > HTH, > > Alex. > > > > On Tue, Apr 27, 2021 at 10:57 AM Alex Rousskov wrote: > > > > On 4/27/21 1:33 PM, Justin Cook wrote: > > > We are running into a situation where we are unable to fully > > > authenticate our users to an internal tooling service that requires > > > certificate authentication as part of its login process, when going > > > through squid forward proxy with SSL bump enabled. > > > > SslBump does not support "TLS inside TLS" configurations, which is > what > > you get when you combine certificate-based proxy authentication > (which > > requires an https_port working in a forward proxy mode) with SslBump > > (which, for an https_port, currently requires an interception proxy > > mode). > > > > It is possible to add support for "TLS inside TLS", but it requires a > > serious development effort. > > > > > https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F > > > > > > HTH, > > > > Alex. > > > >
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
