Can Squid be used as "TLS termination proxy" to encrypt TCP connections using client certificates?
Maybe your admin dislikes NGINX Plus
because it isn't open source and would accept another well maintained open source product. Then ask him to look at stunnel. It is designed for exactly your needs.
Quoting an stunnel example at wikipedia (for SMTP, but this would fit alos for your needs):
For example, one could use stunnel to provide a secure SSL connection to an existing non-SSL-aware SMTP mail server. Assume the SMTP server expects TCP connections on port 25. One would configure stunnel to map the SSL port 465 to non-SSL port 25. A mail client connects via SSL to port 465. Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client.
The stunnel process could be running on the same or a different server from the unsecured mail application; however, both machines would typically be behind a firewall on a secure internal network (so that an intruder could not make its own unsecured connection directly to port 25).
CONNECT is only used by HTTP clients to an HTTP proxy to establish a tunnel through the proxy. There's no scheme in HTTP for an encrypted connection to an HTTP proxy either.
I suspect an HTTP proxy is not what you're looking for here.
I don't know if Squid supports TCP plugs with TLS and client certificates but WinGate does. It also has the ability to verify the UserPrincipalName in the cert to an Active Directory.
Disclaimer: I work for Qbik who are the authors of WinGate.