On Mon, 14 Mar 2011 13:43:38 +0100, Jaime Nebrera wrote:
Dear all,
This is my first email to the list in a looong time so please
forgive if I'm saying something stupid.
I want to authenticate users using a digital certificate they will
already own for "forwarding proxy".
That is, the browsers will use squid to navigate the internet (not
reverse proxy), do some ACL (white / black list validating the user
against a LDAP server) and some antivirus filtering (iCap or
similar).
Reading the available information in the Internet I'm not sure if
this is possible or not.
It is. Though not easily.
As reverse proxy there is no problem, but as a forwarding proxy I
have seem some replies but dont have for sure if its possible or not.
Squid https_port can accept forward proxy traffic as easily as
reverse-proxy traffic. The difficulty comes when you find out that none
of the popular browsers actually open HTTPS connections to proxies. An
stunnel wrapper is needed to apply the SSL bit from the users box to the
Squid.
I have also seen SSLBump that seems in that topic.
Nope, this is MITM on HTTPS. No per-user certificates involved.
BTW, I would like the proxy to use User's certificate when
authenticating against other (external) servers.
It cannot. The SSL traffic which follows a certificate CANNOT be
generated without the secret keys associated with the certificate. Squid
does not have this information and can only be configured to use one set
of keys for all DIRECT outgoing traffic.
What you have instead is a certificate authorizing Squid to open
connections to external places plus some ACl rules in squid.conf
limiting which clients are allowed to go via HTTPS to those places.
Those external places see Squid as the client software even with regular
HTTP traffic.
Amos
