[squid-users] TLS passthrough

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 28 16:02:52 UTC 2023 

On 2023-09-28 11:31, Fernando Giorgetti wrote:

> And what should I do to let Squid use the SNI defined by the TLS client?

What do you want Squid to use that SNI for?

Alex.


> On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
> 
>     On 2023-09-28 09:06, Fernando Giorgetti wrote:
>      > Hi Matus, do you mean something like a DNAT (iptables) rule?
>      > If so, I would say, it should work as well.
>      >
>      > But this is an environment I do not control, and I have been told
>     to try
>      > using an existing squid installation to proxy non-http/TLS data
>     through.
>      >
>      > I appreciate any guidance or recommendation.
> 
> 
>     Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP port
>     X) TCP traffic to its intended destination:
> 
>           https_port X intercept ssl-bump ...
>           ssl_bump splice all
> 
> 
>     Without interception, then Squid can only tunnel stuff inside HTTP
>     CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y):
> 
>           http_port Y ssl-bump ...
>           ssl_bump splice all
> 
> 
>     In both cases, Squid does not care about the protocols that tunneled
>     traffic is using. It could be HTTP, HTTPS, TLS, or anything else on top
>     of TCP.
> 
>     Your ACLs may differ from "all" in the above sketches, of course,
>     but if
>     traffic is not TLS, then you want an "ssl_bump splice" rule that
>     matches
>     during SslBump step1. A rule with an "all" ACLs is the simplest example
>     of that.
> 
> 
>     HTH,
> 
>     Alex.
>     P.S. I am getting an "Internal Server Error" when following the haproxy
>     link in the original question, so I cannot map what that page says to
>     the configurations above.
> 
> 
>      > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:
>      >
>      >     On 27.09.23 16:48, Fernando Giorgetti wrote:
>      >      >I would like to know if it is possible to set up Squid to
>     perform
>      >      >TLS passthrough to a given backend, relaying TLS encrypted
>      >      >traffic to the backend, similarly to what HAProxy does below?
>      >      >
>      >     
>      >https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
>      >      >
>      >      >I have tried a few different configurations using reverse
>     proxy,
>      >      >or peek and splice, but I could not make it work without
>     providing
>      >      >a valid HTTP request or a CONNECT request.
>      >
>      >     what's the difference between TCP redirect and this?
>      >
>      >     --
>      >     Matus UHLAR - fantomas, uhlar at fantomas.sk
>     <mailto:uhlar at fantomas.sk> <mailto:uhlar at fantomas.sk
>     <mailto:uhlar at fantomas.sk>>
>      >     ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
>     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
>      >     Warning: I wish NOT to receive e-mail advertising to this
>     address.
>      >     Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
>     postu.
>      >     Depression is merely anger without enthusiasm.
>      >     _______________________________________________
>      >     squid-users mailing list
>      > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>      >     <mailto:squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>>
>      > https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
>      >     <https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>>
>      >
>      >
>      > _______________________________________________
>      > squid-users mailing list
>      > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>      > https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
> 
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
>

More information about the squid-users mailing list