[squid-users] TLS passthrough
Fernando Giorgetti
fgiorgetti at gmail.com
Fri Sep 29 13:17:27 UTC 2023
Hello Alex,
First of all, thanks for your attention and time.
Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS
data, as we have a restricted environment where Squid is currently the
only way to get out to the internet.
The idea is that the client application will open a connection to a given
hostname and port (setting the SNI in the TLS options), considering that
the given hostname/port is the actual backend they're trying to reach.
We can either try to use a fake hostname (defined in the /etc/hosts of the
tls client machine) which would actually point to Squid's IP or eventually
redirect traffic to the real destination into Squid using a DNAT rule.
But overall, it will be a 1:1 relationship, meaning, the https_port on Squid
would be used exclusively to this purpose of proxying from a given source
to a given destination.
That is why I was considering a reverse-proxy, but I had no luck with it
(actually
I was able to proxy HTTP/HTTPS, but not non-http).
Thank you again,
Fernando
On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 2023-09-28 20:35, Fernando Giorgetti wrote:
>
> > Do you have any recommendations on how I could have it done?
>
> I am unable to confirm whether Squid can do what you want or provide
> configuration recommendations because I do not yet know how your Squid
> will receive traffic (e.g., an intercepting proxy or an explicit forward
> HTTP proxy), what traffic Squid will receive (e.g., TLS, plain HTTP,
> something else), and what you want Squid to do with that traffic.
>
> To make progress, I recommend describing the above details (for one
> typical use case?) and then answering any followup questions.
>
>
> Cheers,
>
> Alex.
>
>
> > When my tls client tries to reach the target through Squid, using
> > a "ssl_bump splice", it seems like squid is trying to reach itself in a
> > loop.
> >
> > I have also tried including a peek first, but no luck.
> >
> > Thanks again for all suggestions.
> >
> > On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov wrote:
> >
> > On 2023-09-28 15:23, Fernando Giorgetti wrote:
> >
> > > Actually with the suggested blind passthrough, Squid would not
> > handle
> > > the TLS termination.
> >
> > Correct.
> >
> >
> > > how will Squid know what the target is?
> >
> > In many cases, Squid can learn SNI by peeking at TLS ClientHello,
> > without terminating TLS. Bugs notwithstanding, none of the
> > configuration
> > sketches I shared previously will do that though.
> >
> >
> > HTH,
> >
> > Alex.
> >
> >
> >
> > > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
> > >
> > > On 2023-09-28 11:31, Fernando Giorgetti wrote:
> > >
> > > > And what should I do to let Squid use the SNI defined by
> > the TLS
> > > client?
> > >
> > > What do you want Squid to use that SNI for?
> > >
> > > Alex.
> > >
> > >
> > > > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
> > > >
> > > > On 2023-09-28 09:06, Fernando Giorgetti wrote:
> > > > > Hi Matus, do you mean something like a DNAT
> > (iptables) rule?
> > > > > If so, I would say, it should work as well.
> > > > >
> > > > > But this is an environment I do not control, and I
> have
> > > been told
> > > > to try
> > > > > using an existing squid installation to proxy
> > non-http/TLS
> > > data
> > > > through.
> > > > >
> > > > > I appreciate any guidance or recommendation.
> > > >
> > > >
> > > > Bugs notwithstanding, Squid can blindly tunnel
> intercepted
> > > (at TCP port
> > > > X) TCP traffic to its intended destination:
> > > >
> > > > https_port X intercept ssl-bump ...
> > > > ssl_bump splice all
> > > >
> > > >
> > > > Without interception, then Squid can only tunnel stuff
> > inside
> > > HTTP
> > > > CONNECT tunnels (for HTTP CONNECT requests received at
> TCP
> > > port Y):
> > > >
> > > > http_port Y ssl-bump ...
> > > > ssl_bump splice all
> > > >
> > > >
> > > > In both cases, Squid does not care about the protocols
> > that
> > > tunneled
> > > > traffic is using. It could be HTTP, HTTPS, TLS, or
> > anything
> > > else on top
> > > > of TCP.
> > > >
> > > > Your ACLs may differ from "all" in the above sketches,
> > of course,
> > > > but if
> > > > traffic is not TLS, then you want an "ssl_bump splice"
> > rule that
> > > > matches
> > > > during SslBump step1. A rule with an "all" ACLs is the
> > > simplest example
> > > > of that.
> > > >
> > > >
> > > > HTH,
> > > >
> > > > Alex.
> > > > P.S. I am getting an "Internal Server Error" when
> > following
> > > the haproxy
> > > > link in the original question, so I cannot map what
> > that page
> > > says to
> > > > the configurations above.
> > > >
> > > >
> > > > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR -
> > fantomas wrote:
> > > > >
> > > > > On 27.09.23 16:48, Fernando Giorgetti wrote:
> > > > > >I would like to know if it is possible to set
> up
> > > Squid to
> > > > perform
> > > > > >TLS passthrough to a given backend, relaying
> TLS
> > > encrypted
> > > > > >traffic to the backend, similarly to what
> HAProxy
> > > does below?
> > > > > >
> > > > >
> > > >
> > >
> > >
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> >>>>
> > > > > >
> > > > > >I have tried a few different configurations
> using
> > > reverse
> > > > proxy,
> > > > > >or peek and splice, but I could not make it
> > work without
> > > > providing
> > > > > >a valid HTTP request or a CONNECT request.
> > > > >
> > > > > what's the difference between TCP redirect and
> > this?
> > > > >
> > > > > --
> > > > > Matus UHLAR - fantomas, uhlar at fantomas.sk
> > <mailto:uhlar at fantomas.sk>
> > > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
> > > > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>
> > > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
> > > > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>>
> > > > > ; http://www.fantomas.sk/
> > <http://www.fantomas.sk/> <http://www.fantomas.sk/
> > <http://www.fantomas.sk/>>
> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> > <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>
> > > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> > <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> > <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>>
> > > > > Warning: I wish NOT to receive e-mail
> > advertising to this
> > > > address.
> > > > > Varovanie: na tuto adresu chcem NEDOSTAVAT
> > akukolvek
> > > reklamnu
> > > > postu.
> > > > > Depression is merely anger without enthusiasm.
> > > > > _______________________________________________
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230929/27f629c4/attachment-0001.htm>
More information about the squid-users
mailing list