[squid-users] TLS passthrough

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 28 14:51:06 UTC 2023 

On 2023-09-28 09:06, Fernando Giorgetti wrote:
> Hi Matus, do you mean something like a DNAT (iptables) rule?
> If so, I would say, it should work as well.
> 
> But this is an environment I do not control, and I have been told to try
> using an existing squid installation to proxy non-http/TLS data through.
> 
> I appreciate any guidance or recommendation.


Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP port 
X) TCP traffic to its intended destination:

     https_port X intercept ssl-bump ...
     ssl_bump splice all


Without interception, then Squid can only tunnel stuff inside HTTP 
CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y):

     http_port Y ssl-bump ...
     ssl_bump splice all


In both cases, Squid does not care about the protocols that tunneled 
traffic is using. It could be HTTP, HTTPS, TLS, or anything else on top 
of TCP.

Your ACLs may differ from "all" in the above sketches, of course, but if 
traffic is not TLS, then you want an "ssl_bump splice" rule that matches 
during SslBump step1. A rule with an "all" ACLs is the simplest example 
of that.


HTH,

Alex.
P.S. I am getting an "Internal Server Error" when following the haproxy 
link in the original question, so I cannot map what that page says to 
the configurations above.


> On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:
> 
>     On 27.09.23 16:48, Fernando Giorgetti wrote:
>      >I would like to know if it is possible to set up Squid to perform
>      >TLS passthrough to a given backend, relaying TLS encrypted
>      >traffic to the backend, similarly to what HAProxy does below?
>      >
>      >https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
>      >
>      >I have tried a few different configurations using reverse proxy,
>      >or peek and splice, but I could not make it work without providing
>      >a valid HTTP request or a CONNECT request.
> 
>     what's the difference between TCP redirect and this?
> 
>     -- 
>     Matus UHLAR - fantomas, uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
>     ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
>     Warning: I wish NOT to receive e-mail advertising to this address.
>     Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>     Depression is merely anger without enthusiasm.
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list