[squid-users] Squid CONNECT tunnel

Wed May 4 16:47:03 UTC 2022

On 5/4/22 12:30, roee klinger wrote:

> Basically, I need to set up a cache_peer, and have all traffic to it be 
> sent using CONNECT, and add an HTTP CONNECT header such as:
> CONNECT test1 HTTP/1.1\r\n\r\n .

> Is that possible with Squid?

Squid can be configured to forward all http_port and https_port traffic 
to a cache_peer. The same may be true for ftp_port, but I am not sure.

However, Squid cannot be configured to forward "all traffic" (i.e. all 
protocols and all protocol commands) using the CONNECT request method 
specifically. For example, plain HTTP GET requests received on an 
http_port will be forwarded using the GET method, not CONNECT.

Furthermore, it would be difficult (and probably wrong) to rewrite the 
destination of all requests to "test1". In most cases, a request going 
to origin server A should look different than a request going to origin 
server B. However, I am not sure whether "test1" in your template was a 
constant that should not be changed across requests.

Finally, I doubt that you actually need to forward _all_ traffic using 
CONNECT tunnels. You probably need to forward some specific requests. 
For that (unknown to me) subset of requests, Squid may (or may not) use 
CONNECT when talking to a configured cache_peer.

Alex.

> On 3 May 2022, 16:30 +0300, Alex Rousskov wrote:
>> On 5/3/22 06:12, roee klinger wrote:
>>> Hey,
>>>
>>> I am trying to use Squid with FTP server TCP Port Multiplexing, on the
>>> FRP documentation (https://github.com/fatedier/frp#tcp-port-multiplexing
>>> <https://github.com/fatedier/frp#tcp-port-multiplexing>), it says:
>>>
>>> frp supports receiving TCP sockets directed to different proxies on
>>> a single port on frps, similar to vhost_http_port and vhost_https_port.
>>>
>>> The only supported TCP port multiplexing method available at the
>>> moment is httpconnect - HTTP CONNECT tunnel.
>>>
>>> When setting tcpmux_httpconnect_port to anything other than 0 in
>>> frps under [common], frps will listen on this port for HTTP CONNECT
>>> requests.
>>>
>>> The host of the HTTP CONNECT request will be used to match the proxy
>>> in frps. Proxy hosts can be configured in frpc by configuring
>>> custom_domain and / or subdomain under type = tcpmux proxies, when
>>> multiplexer = httpconnect.
>>>
>>> In the above configuration - frps can be contacted on port 1337 with
>>> a HTTP CONNECT header such as:
>>> CONNECT test1 HTTP/1.1\r\n\r\n
>>>
>>> and the connection will be routed to proxy1.
>>>
>>>
>>>
>>> I have been struggling to find info about the use of CONNECT tunnels in
>>> Squid, the only page that seems to be talking about it is this:
>>> https://wiki.squid-cache.org/Features/HTTPS
>>> <https://wiki.squid-cache.org/Features/HTTPS>, and the link it points to
>>> is broken.
>>>
>>> My question is, how can I use this with Squid? Can I configure Squid to
>>> receive traffic and then send it out to FRP with a custom CONNECT header?
>>>
>>> I am not sure if this is only good for web servers, or if upstream proxy
>>> servers can use this method too.
>>
>> CONNECT is usually used for opening TCP tunnels through HTTP proxies.
>> Squid uses CONNECT (only) when the HTTP protocol requires such use:
>> Squid will send a CONNECT request if you configure Squid to talk to a
>> configured cache_peer (without an originserver flag), provided Squid
>> needs to open a TCP tunnel through that cache_peer.
>>
>> Squid uses TCP tunnels in several cases. The most common use case is
>> when Squid is forwarding a received CONNECT request (or an intercepted
>> TLS connection) through a cache_peer.
>>
>> I have not studied FRP documentation and do not know how it all maps to
>> your specific use case, but if you can summarize your use case in basic
>> FTP/HTTP/TLS terms (e.g. Squid receives FTP request X and should send
>> HTTP request Y), we may be able to help you with Squid configuration.
>>
>> Alex.
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users