<div dir="ltr">Hello Alex, thanks for your reply.<div><br></div><div>And what should I do to let Squid use the SNI defined by the TLS client?</div><div><br></div><div>Thanks again,</div><div>Fernando</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2023-09-28 09:06, Fernando Giorgetti wrote:<br>
> Hi Matus, do you mean something like a DNAT (iptables) rule?<br>
> If so, I would say, it should work as well.<br>
> <br>
> But this is an environment I do not control, and I have been told to try<br>
> using an existing squid installation to proxy non-http/TLS data through.<br>
> <br>
> I appreciate any guidance or recommendation.<br>
<br>
<br>
Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP port <br>
X) TCP traffic to its intended destination:<br>
<br>
https_port X intercept ssl-bump ...<br>
ssl_bump splice all<br>
<br>
<br>
Without interception, then Squid can only tunnel stuff inside HTTP <br>
CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y):<br>
<br>
http_port Y ssl-bump ...<br>
ssl_bump splice all<br>
<br>
<br>
In both cases, Squid does not care about the protocols that tunneled <br>
traffic is using. It could be HTTP, HTTPS, TLS, or anything else on top <br>
of TCP.<br>
<br>
Your ACLs may differ from "all" in the above sketches, of course, but if <br>
traffic is not TLS, then you want an "ssl_bump splice" rule that matches <br>
during SslBump step1. A rule with an "all" ACLs is the simplest example <br>
of that.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
P.S. I am getting an "Internal Server Error" when following the haproxy <br>
link in the original question, so I cannot map what that page says to <br>
the configurations above.<br>
<br>
<br>
> On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:<br>
> <br>
> On 27.09.23 16:48, Fernando Giorgetti wrote:<br>
> >I would like to know if it is possible to set up Squid to perform<br>
> >TLS passthrough to a given backend, relaying TLS encrypted<br>
> >traffic to the backend, similarly to what HAProxy does below?<br>
> ><br>
> ><a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>><br>
> ><br>
> >I have tried a few different configurations using reverse proxy,<br>
> >or peek and splice, but I could not make it work without providing<br>
> >a valid HTTP request or a CONNECT request.<br>
> <br>
> what's the difference between TCP redirect and this?<br>
> <br>
> -- <br>
> Matus UHLAR - fantomas, <a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
> ; <a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
> Warning: I wish NOT to receive e-mail advertising to this address.<br>
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.<br>
> Depression is merely anger without enthusiasm.<br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>><br>
> <br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>