Re: [squid-users] squid as a reverse proxy and exchange 2007- Mandating access with the certificate

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 29 Aug 2010 11:30:24 +1200

Erwan Le Du wrote:
> Hi,
> I'm using "squid" as a reverse proxy to allow the users to connect to
> exchange 2007 from the outside. All is ok(OWA and RPC overs https) but
> I would like to know if we can secure the connections with a
> certificate. I would like that the users must have inevitably the
> certificate to connect to the Outlook web access. For the moment if I
> have not the certificate I have a warning from the internet browser
> (because it 's a self signed certificate ) but I can continue and
> finally "catch" the owa interface" ... With apache I can use
> SSLVerifyClient but I don't know if it's possible with squid as a
> reverse proxy. Otherwise I can enable the option "client certificate
> require" in the ssl settings for the folder "owa" in IIS 7 but I would
> like to connect to outlook web access from the internal network
> without certificate.

Sure you can. These three things can be done to strengthen the
certificate security chain:

  * Remove the "sslflags=DONT_VERIFY_PEER" and Squid will check that the
certificate provided by OWA is valid and trustworthy. Rejecting
connections to the peer if not.

  * Setting a client certificate which OWA trusts into the squid
cache_peer line. Will strengthen the link between Squid and OWA and
permit OWA to check that it is Squid doing the contact.
   (NP: says nothing about clients using Squid though, only the
particular Squid->OWA link)

  * Having the certificate presented by https_port signed properly by a
CA which the clients trust. Will resolve that self-signed warning.

OR

  * Having the certificate presented by https_port signed properly by a
CA which the clients trust. Will resolve that self-signed warning.

  * Specifying clientca= option on https_port can set the list of
trusted CA used to verify the visiting clients' certificate.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.7
   Beta testers wanted for 3.2.0.1
Received on Sat Aug 28 2010 - 23:30:45 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 29 2010 - 12:00:07 MDT