[squid-users] Can I use squid to reverse proxy https (without making it a man-in-the-middle)?

Stefan Blachmann sblachmann at gmail.com
Mon May 8 04:19:33 UTC 2017


With squid, it apparently seems impossible to just pass through SSL
traffic to the HTTPS servers without breaking privacy. The same seems
to be valid for some other "proxies" like nginx when being used as
reverse proxy.

So my solution to the problem was to discard squid and switch to haproxy.

Maybe I am not the only one who wants a proxy which can _actually_ do
SNI, i.e. use the clear-text domain name to just pass through to the
appropriate server, _without_ having to intercept and encrypt the
data.
I think my very simple haproxy.conf is quite self-explanatory, so I
attach it in the following to possibly help others who have similar
needs:

global
  maxconn 2000
  user haproxy
  group haproxy

defaults
  timeout client 30s
  timeout server 30s
  timeout connect 10s

frontend ft_http
  bind 10.0.0.10:80
  mode http
  acl http_sitewithssl_de hdr(host) -i sitewithssl.de
  acl http_sitewithssl_de_www hdr(host) -i www.sitewithssl.de
  acl http_anothersitewithoutssl_de hdr(host) -i anothersitewithoutssl.de
  acl http_anothersitewithoutssl_de_www hdr(host) -i
www.anothersitewithoutssl.de
  use_backend backend_sitewithssl_de_http if http_sitewithssl_de
  use_backend backend_sitewithssl_de_http if http_sitewithssl_de_www
  use_backend backend_anothersitewithoutssl_de_http if
http_anothersitewithoutssl_de
  use_backend backend_anothersitewithoutssl_de_http if
http_anothersitewithoutssl_de_www

frontend ft_https
  bind 10.0.0.10:443
  mode tcp
  acl https_sitewithssl_de req_ssl_sni -i sitewithssl.de
  acl https_sitewithssl_de_www req_ssl_sni -i www.sitewithssl.de
  use_backend backend_sitewithssl_de_https if https_sitewithssl_de
  use_backend backend_sitewithssl_de_https if https_sitewithssl_de_www

backend backend_anothersitewithoutssl_de_http
  mode http
  server server_anothersitewithoutssl_de_http 10.0.0.8:80

backend backend_sitewithssl_de_http
  mode http
  server server_sitewithssl_de_http 10.0.0.9:80

backend backend_sitewithssl_de_https
  mode tcp
  server server_sitewithssl_de_https 10.0.0.9:443



On 5/4/17, Stefan Blachmann <sblachmann at gmail.com> wrote:
> I am using squid 3.5.23 for no-caching reverse proxying http to
> backend web servers.
> I want to do the same with https.
>
> If I try to make cache_peer, acl, http_access and cache_peer_access
> for port 443 in addition to port 80, the connection attempt fails with
> browser complaining about error code: SSL_ERROR_RX_RECORD_TOO_LONG. In
> squid access log then there is a complaint about "invalid request".
>
> Is there a way to configure squid to just pass through https traffic
> to https backends? Just like it does with http?
> That is, _without_ needing to give squid access to the certificates and
> keys?
>
> (I ask because all instructions I found in the web are
> privacy-breaking decrypting Mitm interception instructions. And I do
> _not_ want to do it this way!)
>


More information about the squid-users mailing list