Home / server / Questions / 780218
Accepted
marsh-wiggle
Asked: 2016-06-02 01:13:17 +0800 CST

Can Squid be used as "TLS termination proxy" to encrypt TCP connections using client certificates?

  • 772

Abstract

I need an encrypted TCP connection from multiple clients to a single port over the internet. Can this be realized with Squid?

Concrete situation

We use a monitoring and client management solution in our company which is accessible over LAN and VPNs. It should be now accessible from external notebooks which don't use the company VPN. The communication must be encrypted (TLS). The clients authentication must use clients certificates. The communication is initiated by the clients and uses a single TCP port.

Results of my investigations

NGINX Plus seems to offer this feature but our admin prefers squid or apache. At the squid wiki I found that: Feature: HTTPS (HTTP Secure or HTTP over SSL/TLS) where TCP encrypting is mentioned. But I also found this warning:

It is important to notice that the protocols passed through CONNECT are not limited to the ones Squid normally handles. Quite literally anything that uses a two-way TCP connection can be passed through a CONNECT tunnel. This is why the Squid default ACLs start with deny CONNECT !SSL_Ports and why you must have a very good reason to place any type of allow rule above them.

Similar question

This question Encrypt client connection with squid forward proxy using SSL is simlar, but doesn't treat reverse proxies / TLS termination proxies.

What I need to know

I have only basic knowledge about that technologies and our admin asked me for general feasibility.

  • Can Squid be used for save encrypting of TCP connections?
  • Can this be realized using authentication with client certificates?
  • Or should it be used only for HTTPS connections?
squid encryption certificate tcp tls

2 Answers

  1. Best Answer

    Maybe your admin dislikes NGINX Plusbecause it isn't open source and would accept another well maintained open source product. Then ask him to look at stunnel. It is designed for exactly your needs.

    Quoting an stunnel example at wikipedia (for SMTP, but this would fit alos for your needs):

    For example, one could use stunnel to provide a secure SSL connection to an existing non-SSL-aware SMTP mail server. Assume the SMTP server expects TCP connections on port 25. One would configure stunnel to map the SSL port 465 to non-SSL port 25. A mail client connects via SSL to port 465. Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client.

    The stunnel process could be running on the same or a different server from the unsecured mail application; however, both machines would typically be behind a firewall on a secure internal network (so that an intruder could not make its own unsecured connection directly to port 25).

    • 7

  2. CONNECT is only used by HTTP clients to an HTTP proxy to establish a tunnel through the proxy. There's no scheme in HTTP for an encrypted connection to an HTTP proxy either.

    I suspect an HTTP proxy is not what you're looking for here.

    I don't know if Squid supports TCP plugs with TLS and client certificates but WinGate does. It also has the ability to verify the UserPrincipalName in the cert to an Active Directory.

    Disclaimer: I work for Qbik who are the authors of WinGate.

    • 2