<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Bugs notwithstanding, none of the configuration<br>sketches I shared previously will do that though.</blockquote><div><br></div><div>Do you have any recommendations on how I could have it done?</div><div>When my tls client tries to reach the target through Squid, using </div><div>a "ssl_bump splice", it seems like squid is trying to reach itself in a loop.</div><div><br></div><div>I have also tried including a peek first, but no luck.</div><div><br></div><div>Thanks again for all suggestions.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2023-09-28 15:23, Fernando Giorgetti wrote:<br>
<br>
> Actually with the suggested blind passthrough, Squid would not handle <br>
> the TLS termination.<br>
<br>
Correct.<br>
<br>
<br>
> how will Squid know what the target is?<br>
<br>
In many cases, Squid can learn SNI by peeking at TLS ClientHello, <br>
without terminating TLS. Bugs notwithstanding, none of the configuration <br>
sketches I shared previously will do that though.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
<br>
<br>
> On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:<br>
> <br>
> On 2023-09-28 11:31, Fernando Giorgetti wrote:<br>
> <br>
> > And what should I do to let Squid use the SNI defined by the TLS<br>
> client?<br>
> <br>
> What do you want Squid to use that SNI for?<br>
> <br>
> Alex.<br>
> <br>
> <br>
> > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:<br>
> ><br>
> > On 2023-09-28 09:06, Fernando Giorgetti wrote:<br>
> > > Hi Matus, do you mean something like a DNAT (iptables) rule?<br>
> > > If so, I would say, it should work as well.<br>
> > ><br>
> > > But this is an environment I do not control, and I have<br>
> been told<br>
> > to try<br>
> > > using an existing squid installation to proxy non-http/TLS<br>
> data<br>
> > through.<br>
> > ><br>
> > > I appreciate any guidance or recommendation.<br>
> ><br>
> ><br>
> > Bugs notwithstanding, Squid can blindly tunnel intercepted<br>
> (at TCP port<br>
> > X) TCP traffic to its intended destination:<br>
> ><br>
> > https_port X intercept ssl-bump ...<br>
> > ssl_bump splice all<br>
> ><br>
> ><br>
> > Without interception, then Squid can only tunnel stuff inside<br>
> HTTP<br>
> > CONNECT tunnels (for HTTP CONNECT requests received at TCP<br>
> port Y):<br>
> ><br>
> > http_port Y ssl-bump ...<br>
> > ssl_bump splice all<br>
> ><br>
> ><br>
> > In both cases, Squid does not care about the protocols that<br>
> tunneled<br>
> > traffic is using. It could be HTTP, HTTPS, TLS, or anything<br>
> else on top<br>
> > of TCP.<br>
> ><br>
> > Your ACLs may differ from "all" in the above sketches, of course,<br>
> > but if<br>
> > traffic is not TLS, then you want an "ssl_bump splice" rule that<br>
> > matches<br>
> > during SslBump step1. A rule with an "all" ACLs is the<br>
> simplest example<br>
> > of that.<br>
> ><br>
> ><br>
> > HTH,<br>
> ><br>
> > Alex.<br>
> > P.S. I am getting an "Internal Server Error" when following<br>
> the haproxy<br>
> > link in the original question, so I cannot map what that page<br>
> says to<br>
> > the configurations above.<br>
> ><br>
> ><br>
> > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:<br>
> > ><br>
> > > On 27.09.23 16:48, Fernando Giorgetti wrote:<br>
> > > >I would like to know if it is possible to set up<br>
> Squid to<br>
> > perform<br>
> > > >TLS passthrough to a given backend, relaying TLS<br>
> encrypted<br>
> > > >traffic to the backend, similarly to what HAProxy<br>
> does below?<br>
> > > ><br>
> > ><br>
> > <br>
> ><a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>>><br>
> > > ><br>
> > > >I have tried a few different configurations using<br>
> reverse<br>
> > proxy,<br>
> > > >or peek and splice, but I could not make it work without<br>
> > providing<br>
> > > >a valid HTTP request or a CONNECT request.<br>
> > ><br>
> > > what's the difference between TCP redirect and this?<br>
> > ><br>
> > > --<br>
> > > Matus UHLAR - fantomas, <a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>><br>
> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> > <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>>><br>
> > > ; <a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>><br>
> > <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>>><br>
> > > Warning: I wish NOT to receive e-mail advertising to this<br>
> > address.<br>
> > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek<br>
> reklamnu<br>
> > postu.<br>
> > > Depression is merely anger without enthusiasm.<br>
> > > _______________________________________________<br>
> > > squid-users mailing list<br>
> > > <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>>><br>
> > > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>>>><br>
> > > <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br>
> > <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>>><br>
> > > <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br>
> > <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>>>><br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > squid-users mailing list<br>
> > > <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>>><br>
> > > <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br>
> > <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>>><br>
> ><br>
> > _______________________________________________<br>
> > squid-users mailing list<br>
> > <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>>><br>
> > <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br>
> > <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>>><br>
> ><br>
> <br>
<br>
</blockquote></div>