DigitalOcean

Report this

What is the reason for this report?
Question

TLS Mutual Authentication between squid transparent proxy and external endpoint

Posted on November 8, 2017
Security
CentOS
Open Source
Brett Wright

By Brett Wright

We have a transparent squid proxy and we need to setup Mutual Authentication via TLS1.2 between the squid proxy and external endpoint.

Does anyone know how I would set this up?

Cheers,

Brett Wright



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
KFSys
KFSys
May 18, 2023

Hello,

Mutual TLS (mTLS) authentication is a two-way authentication process where both the client (Squid proxy in your case) and the server verify each other’s identities before establishing a secure communication channel. In order to set this up, you would typically require certificates for both parties.

Here are the general steps you should follow to configure mTLS with Squid.

Step 1: Obtain a client certificate for Squid.

This client certificate, typically issued by a trusted certificate authority (CA), is used to authenticate the Squid proxy to the external server. You need to install this certificate on your Squid server.

Step 2: Configure Squid to use the client certificate.

Once you’ve obtained the certificate, you can configure Squid to use it for all outgoing connections. In your Squid configuration file (/etc/squid/squid.conf), add these lines:

# Path to the client certificate
sslcert=/path/to/your/client/cert.pem

# Path to the private key for the client certificate
sslkey=/path/to/your/private/key.pem

You may also need to specify the path to the CA certificate:

sslflags=DONT_VERIFY_PEER
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cafile /path/to/ca/cert.pem

Replace /path/to/your/client/cert.pem, /path/to/your/private/key.pem, and /path/to/ca/cert.pem with the actual paths to your certificate, private key, and CA certificate files respectively.

Step 3: Reload Squid.

Finally, reload Squid to apply the changes:

sudo systemctl reload squid

Please note that actual steps can vary based on Squid version, OS version, and the specific setup of your infrastructure. It’s recommended to refer to the official Squid documentation and the documentation of your OS for more accurate information.

This setup assumes that the external endpoint server is already configured for mutual TLS authentication. If it’s not, you would need to configure it similarly: install a server certificate, and configure it to require and verify client certificates.

Lastly, please ensure that you secure the private keys properly and restrict their access, as they can be used to impersonate your server or client.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.