[squid-users] TLS passthrough
Fernando Giorgetti
fgiorgetti at gmail.com
Thu Sep 28 15:31:56 UTC 2023
Hello Alex, thanks for your reply.
And what should I do to let Squid use the SNI defined by the TLS client?
Thanks again,
Fernando
On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 2023-09-28 09:06, Fernando Giorgetti wrote:
> > Hi Matus, do you mean something like a DNAT (iptables) rule?
> > If so, I would say, it should work as well.
> >
> > But this is an environment I do not control, and I have been told to try
> > using an existing squid installation to proxy non-http/TLS data through.
> >
> > I appreciate any guidance or recommendation.
>
>
> Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP port
> X) TCP traffic to its intended destination:
>
> https_port X intercept ssl-bump ...
> ssl_bump splice all
>
>
> Without interception, then Squid can only tunnel stuff inside HTTP
> CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y):
>
> http_port Y ssl-bump ...
> ssl_bump splice all
>
>
> In both cases, Squid does not care about the protocols that tunneled
> traffic is using. It could be HTTP, HTTPS, TLS, or anything else on top
> of TCP.
>
> Your ACLs may differ from "all" in the above sketches, of course, but if
> traffic is not TLS, then you want an "ssl_bump splice" rule that matches
> during SslBump step1. A rule with an "all" ACLs is the simplest example
> of that.
>
>
> HTH,
>
> Alex.
> P.S. I am getting an "Internal Server Error" when following the haproxy
> link in the original question, so I cannot map what that page says to
> the configurations above.
>
>
> > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:
> >
> > On 27.09.23 16:48, Fernando Giorgetti wrote:
> > >I would like to know if it is possible to set up Squid to perform
> > >TLS passthrough to a given backend, relaying TLS encrypted
> > >traffic to the backend, similarly to what HAProxy does below?
> > >
> > >
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> >
> > >
> > >I have tried a few different configurations using reverse proxy,
> > >or peek and splice, but I could not make it work without providing
> > >a valid HTTP request or a CONNECT request.
> >
> > what's the difference between TCP redirect and this?
> >
> > --
> > Matus UHLAR - fantomas, uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> > ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > Depression is merely anger without enthusiasm.
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>
> > https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230928/b12a5768/attachment-0001.htm>
More information about the squid-users
mailing list