[squid-users] Squid CONNECT tunnel

Alex Rousskov rousskov at measurement-factory.com
Tue May 3 13:30:10 UTC 2022 

On 5/3/22 06:12, roee klinger wrote:
> Hey,
> 
> I am trying to use Squid with FTP server TCP Port Multiplexing, on the 
> FRP documentation (https://github.com/fatedier/frp#tcp-port-multiplexing 
> <https://github.com/fatedier/frp#tcp-port-multiplexing>), it says:
> 
>     frp supports receiving TCP sockets directed to different proxies on
>     a single port on frps, similar to vhost_http_port and vhost_https_port.
> 
>     The only supported TCP port multiplexing method available at the
>     moment is httpconnect - HTTP CONNECT tunnel.
> 
>     When setting tcpmux_httpconnect_port to anything other than 0 in
>     frps under [common], frps will listen on this port for HTTP CONNECT
>     requests.
> 
>     The host of the HTTP CONNECT request will be used to match the proxy
>     in frps. Proxy hosts can be configured in frpc by configuring
>     custom_domain and / or subdomain under type = tcpmux proxies, when
>     multiplexer = httpconnect.
> 
>     In the above configuration - frps can be contacted on port 1337 with
>     a HTTP CONNECT header such as:
>     CONNECT test1 HTTP/1.1\r\n\r\n
> 
>     and the connection will be routed to proxy1.
> 
> 
> 
> I have been struggling to find info about the use of CONNECT tunnels in 
> Squid, the only page that seems to be talking about it is this: 
> https://wiki.squid-cache.org/Features/HTTPS 
> <https://wiki.squid-cache.org/Features/HTTPS>, and the link it points to 
> is broken.
> 
> My question is, how can I use this with Squid? Can I configure Squid to 
> receive traffic and then send it out to FRP with a custom CONNECT header?
> 
> I am not sure if this is only good for web servers, or if upstream proxy 
> servers can use this method too.

CONNECT is usually used for opening TCP tunnels through HTTP proxies. 
Squid uses CONNECT (only) when the HTTP protocol requires such use: 
Squid will send a CONNECT request if you configure Squid to talk to a 
configured cache_peer (without an originserver flag), provided Squid 
needs to open a TCP tunnel through that cache_peer.

Squid uses TCP tunnels in several cases. The most common use case is 
when Squid is forwarding a received CONNECT request (or an intercepted 
TLS connection) through a cache_peer.

I have not studied FRP documentation and do not know how it all maps to 
your specific use case, but if you can summarize your use case in basic 
FTP/HTTP/TLS terms (e.g. Squid receives FTP request X and should send 
HTTP request Y), we may be able to help you with Squid configuration.

Alex.

More information about the squid-users mailing list