<div dir="ltr"><div dir="ltr"><div dir="ltr">Hello Alex,<div><br></div><div>First of all, thanks for your attention and time.</div><div><br></div>Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS</div><div dir="ltr">data, as we have a restricted environment where Squid is currently the</div><div dir="ltr">only way to get out to the internet.<br><br>The idea is that the client application will open a connection to a given</div><div dir="ltr">hostname and port (setting the SNI in the TLS options), considering that</div><div dir="ltr">the given hostname/port is the actual backend they're trying to reach.<br><br>We can either try to use a fake hostname (defined in the /etc/hosts of the</div><div dir="ltr">tls client machine) which would actually point to Squid's IP or eventually</div><div dir="ltr">redirect traffic to the real destination into Squid using a DNAT rule.<br><br>But overall, it will be a 1:1 relationship, meaning, the https_port on Squid</div><div dir="ltr">would be used exclusively to this purpose of proxying from a given source</div><div dir="ltr">to a given destination.<br><br>That is why I was considering a reverse-proxy, but I had no luck with it (actually</div><div dir="ltr">I was able to proxy HTTP/HTTPS, but not non-http).<br></div><div dir="ltr"><br></div><div>Thank you again,</div><div>Fernando</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2023-09-28 20:35, Fernando Giorgetti wrote:<br>
<br>
> Do you have any recommendations on how I could have it done?<br>
<br>
I am unable to confirm whether Squid can do what you want or provide <br>
configuration recommendations because I do not yet know how your Squid <br>
will receive traffic (e.g., an intercepting proxy or an explicit forward <br>
HTTP proxy), what traffic Squid will receive (e.g., TLS, plain HTTP, <br>
something else), and what you want Squid to do with that traffic.<br>
<br>
To make progress, I recommend describing the above details (for one <br>
typical use case?) and then answering any followup questions.<br>
<br>
<br>
Cheers,<br>
<br>
Alex.<br>
<br>
<br>
> When my tls client tries to reach the target through Squid, using<br>
> a "ssl_bump splice", it seems like squid is trying to reach itself in a <br>
> loop.<br>
> <br>
> I have also tried including a peek first, but no luck.<br>
> <br>
> Thanks again for all suggestions.<br>
> <br>
> On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov wrote:<br>
> <br>
>     On 2023-09-28 15:23, Fernando Giorgetti wrote:<br>
> <br>
>      > Actually with the suggested blind passthrough, Squid would not<br>
>     handle<br>
>      > the TLS termination.<br>
> <br>
>     Correct.<br>
> <br>
> <br>
>      > how will Squid know what the target is?<br>
> <br>
>     In many cases, Squid can learn SNI by peeking at TLS ClientHello,<br>
>     without terminating TLS. Bugs notwithstanding, none of the<br>
>     configuration<br>
>     sketches I shared previously will do that though.<br>
> <br>
> <br>
>     HTH,<br>
> <br>
>     Alex.<br>
> <br>
> <br>
> <br>
>      > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:<br>
>      ><br>
>      >     On 2023-09-28 11:31, Fernando Giorgetti wrote:<br>
>      ><br>
>      >      > And what should I do to let Squid use the SNI defined by<br>
>     the TLS<br>
>      >     client?<br>
>      ><br>
>      >     What do you want Squid to use that SNI for?<br>
>      ><br>
>      >     Alex.<br>
>      ><br>
>      ><br>
>      >      > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:<br>
>      >      ><br>
>      >      >     On 2023-09-28 09:06, Fernando Giorgetti wrote:<br>
>      >      >      > Hi Matus, do you mean something like a DNAT<br>
>     (iptables) rule?<br>
>      >      >      > If so, I would say, it should work as well.<br>
>      >      >      ><br>
>      >      >      > But this is an environment I do not control, and I have<br>
>      >     been told<br>
>      >      >     to try<br>
>      >      >      > using an existing squid installation to proxy<br>
>     non-http/TLS<br>
>      >     data<br>
>      >      >     through.<br>
>      >      >      ><br>
>      >      >      > I appreciate any guidance or recommendation.<br>
>      >      ><br>
>      >      ><br>
>      >      >     Bugs notwithstanding, Squid can blindly tunnel intercepted<br>
>      >     (at TCP port<br>
>      >      >     X) TCP traffic to its intended destination:<br>
>      >      ><br>
>      >      >           https_port X intercept ssl-bump ...<br>
>      >      >           ssl_bump splice all<br>
>      >      ><br>
>      >      ><br>
>      >      >     Without interception, then Squid can only tunnel stuff<br>
>     inside<br>
>      >     HTTP<br>
>      >      >     CONNECT tunnels (for HTTP CONNECT requests received at TCP<br>
>      >     port Y):<br>
>      >      ><br>
>      >      >           http_port Y ssl-bump ...<br>
>      >      >           ssl_bump splice all<br>
>      >      ><br>
>      >      ><br>
>      >      >     In both cases, Squid does not care about the protocols<br>
>     that<br>
>      >     tunneled<br>
>      >      >     traffic is using. It could be HTTP, HTTPS, TLS, or<br>
>     anything<br>
>      >     else on top<br>
>      >      >     of TCP.<br>
>      >      ><br>
>      >      >     Your ACLs may differ from "all" in the above sketches,<br>
>     of course,<br>
>      >      >     but if<br>
>      >      >     traffic is not TLS, then you want an "ssl_bump splice"<br>
>     rule that<br>
>      >      >     matches<br>
>      >      >     during SslBump step1. A rule with an "all" ACLs is the<br>
>      >     simplest example<br>
>      >      >     of that.<br>
>      >      ><br>
>      >      ><br>
>      >      >     HTH,<br>
>      >      ><br>
>      >      >     Alex.<br>
>      >      >     P.S. I am getting an "Internal Server Error" when<br>
>     following<br>
>      >     the haproxy<br>
>      >      >     link in the original question, so I cannot map what<br>
>     that page<br>
>      >     says to<br>
>      >      >     the configurations above.<br>
>      >      ><br>
>      >      ><br>
>      >      >      > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR -<br>
>     fantomas wrote:<br>
>      >      >      ><br>
>      >      >      >     On 27.09.23 16:48, Fernando Giorgetti wrote:<br>
>      >      >      >      >I would like to know if it is possible to set up<br>
>      >     Squid to<br>
>      >      >     perform<br>
>      >      >      >      >TLS passthrough to a given backend, relaying TLS<br>
>      >     encrypted<br>
>      >      >      >      >traffic to the backend, similarly to what HAProxy<br>
>      >     does below?<br>
>      >      >      >      ><br>
>      >      >      ><br>
>      >      ><br>
>      >     <br>
>      ><a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a> <<a href="https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough" rel="noreferrer" target="_blank">https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough</a>>>>><br>
>      >      >      >      ><br>
>      >      >      >      >I have tried a few different configurations using<br>
>      >     reverse<br>
>      >      >     proxy,<br>
>      >      >      >      >or peek and splice, but I could not make it<br>
>     work without<br>
>      >      >     providing<br>
>      >      >      >      >a valid HTTP request or a CONNECT request.<br>
>      >      >      ><br>
>      >      >      >     what's the difference between TCP redirect and<br>
>     this?<br>
>      >      >      ><br>
>      >      >      >     --<br>
>      >      >      >     Matus UHLAR - fantomas, <a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a><br>
>     <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
>      >     <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>><br>
>      >      >     <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
>     <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>>><br>
>      >     <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
>     <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>><br>
>      >      >     <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
>     <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> <mailto:<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>>>><br>
>      >      >      >     ; <a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a><br>
>     <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a><br>
>     <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>><br>
>      >     <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
>     <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>>><br>
>      >      >     <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
>     <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>><br>
>      >     <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>><br>
>     <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a> <<a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a>>>>><br>
>      >      >      >     Warning: I wish NOT to receive e-mail<br>
>     advertising to this<br>
>      >      >     address.<br>
>      >      >      >     Varovanie: na tuto adresu chcem NEDOSTAVAT<br>
>     akukolvek<br>
>      >     reklamnu<br>
>      >      >     postu.<br>
>      >      >      >     Depression is merely anger without enthusiasm.<br>
>      >      >      >     _______________________________________________<br>
<br>
<br>
</blockquote></div>