Yes, you could use Squid as a reverse accelerator, or we ended up using stunnel for the client-to-Squid connection -- stunnel on each end, configured to require a client certificate, and the browser proxy setting set to the stunnel endpoint on the client. Stunnel support for client certificates isn't perfect -- e.g. it won't read them out of a certificate store, they have to be at a known location in the filesystem, and they have to be PEM format, so you have to have your users export your x.509 certs. We ended up having a script that runs at user login to generate the correct stunnel configuration file, then runs stunnel using that just-generated config file.
Now that OpenSSL has the hooks to read from the Windows (IE) certificate store, I'm sure stunnel will eventually do that, which will make the whole approach more straightforward. I discussed this with the stunnel programmer - but couldn't work out having our company fund the development, so it'll be worked against his other priorities over time, I believe.
And be aware, we had a dickens of a time getting Squid for Windows to work using SSL (and to be fair, SSL support in the Windows version is marked as experimental) ... we finally gave up. Part of why we used stunnel.
-----Original Message-----
From: Matus UHLAR - fantomas [mailto:uhlar_at_fantomas.sk]
Sent: Tuesday, December 21, 2010 10:34 AM
To: squid-users_at_squid-cache.org
Subject: EXTERNAL: Re: [squid-users] Using client certs for authentication
On 21.12.10 16:11, Sebastian John wrote:
> is there a way (or maybe a sample configuration) to use certs at
> client to authenticate against the proxy?
Afaik no HTTP client supports SSL (HTTPS) for talking to proxy. I don't know
of other way to use certs for client authentication than SSL.
> I tried some different examples found at the internet, but nothing
> works for me. How must I configure squid to request a certificate from
> client befor using the proxy.
you apparently could use squid as reverse proxy, but then it would behave as
if your client was talking to server, not to a proxy.
-- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901Received on Tue Dec 21 2010 - 18:02:52 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 22 2010 - 12:00:03 MST