[squid-users] Can I use squid to reverse proxy https (without making it a man-in-the-middle)?
Stefan Blachmann
sblachmann at gmail.com
Mon May 8 04:19:33 UTC 2017
With squid, it apparently seems impossible to just pass through SSL
traffic to the HTTPS servers without breaking privacy. The same seems
to be valid for some other "proxies" like nginx when being used as
reverse proxy.
So my solution to the problem was to discard squid and switch to haproxy.
Maybe I am not the only one who wants a proxy which can _actually_ do
SNI, i.e. use the clear-text domain name to just pass through to the
appropriate server, _without_ having to intercept and encrypt the
data.
I think my very simple haproxy.conf is quite self-explanatory, so I
attach it in the following to possibly help others who have similar
needs:
global
maxconn 2000
user haproxy
group haproxy
defaults
timeout client 30s
timeout server 30s
timeout connect 10s
frontend ft_http
bind 10.0.0.10:80
mode http
acl http_sitewithssl_de hdr(host) -i sitewithssl.de
acl http_sitewithssl_de_www hdr(host) -i www.sitewithssl.de
acl http_anothersitewithoutssl_de hdr(host) -i anothersitewithoutssl.de
acl http_anothersitewithoutssl_de_www hdr(host) -i
www.anothersitewithoutssl.de
use_backend backend_sitewithssl_de_http if http_sitewithssl_de
use_backend backend_sitewithssl_de_http if http_sitewithssl_de_www
use_backend backend_anothersitewithoutssl_de_http if
http_anothersitewithoutssl_de
use_backend backend_anothersitewithoutssl_de_http if
http_anothersitewithoutssl_de_www
frontend ft_https
bind 10.0.0.10:443
mode tcp
acl https_sitewithssl_de req_ssl_sni -i sitewithssl.de
acl https_sitewithssl_de_www req_ssl_sni -i www.sitewithssl.de
use_backend backend_sitewithssl_de_https if https_sitewithssl_de
use_backend backend_sitewithssl_de_https if https_sitewithssl_de_www
backend backend_anothersitewithoutssl_de_http
mode http
server server_anothersitewithoutssl_de_http 10.0.0.8:80
backend backend_sitewithssl_de_http
mode http
server server_sitewithssl_de_http 10.0.0.9:80
backend backend_sitewithssl_de_https
mode tcp
server server_sitewithssl_de_https 10.0.0.9:443
On 5/4/17, Stefan Blachmann <sblachmann at gmail.com> wrote:
> I am using squid 3.5.23 for no-caching reverse proxying http to
> backend web servers.
> I want to do the same with https.
>
> If I try to make cache_peer, acl, http_access and cache_peer_access
> for port 443 in addition to port 80, the connection attempt fails with
> browser complaining about error code: SSL_ERROR_RX_RECORD_TOO_LONG. In
> squid access log then there is a complaint about "invalid request".
>
> Is there a way to configure squid to just pass through https traffic
> to https backends? Just like it does with http?
> That is, _without_ needing to give squid access to the certificates and
> keys?
>
> (I ask because all instructions I found in the web are
> privacy-breaking decrypting Mitm interception instructions. And I do
> _not_ want to do it this way!)
>
More information about the squid-users
mailing list