[squid-users] TLS passthrough

Fernando Giorgetti fgiorgetti at gmail.com
Thu Sep 28 15:31:56 UTC 2023


Hello Alex, thanks for your reply.

And what should I do to let Squid use the SNI defined by the TLS client?

Thanks again,
Fernando

On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 2023-09-28 09:06, Fernando Giorgetti wrote:
> > Hi Matus, do you mean something like a DNAT (iptables) rule?
> > If so, I would say, it should work as well.
> >
> > But this is an environment I do not control, and I have been told to try
> > using an existing squid installation to proxy non-http/TLS data through.
> >
> > I appreciate any guidance or recommendation.
>
>
> Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP port
> X) TCP traffic to its intended destination:
>
>      https_port X intercept ssl-bump ...
>      ssl_bump splice all
>
>
> Without interception, then Squid can only tunnel stuff inside HTTP
> CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y):
>
>      http_port Y ssl-bump ...
>      ssl_bump splice all
>
>
> In both cases, Squid does not care about the protocols that tunneled
> traffic is using. It could be HTTP, HTTPS, TLS, or anything else on top
> of TCP.
>
> Your ACLs may differ from "all" in the above sketches, of course, but if
> traffic is not TLS, then you want an "ssl_bump splice" rule that matches
> during SslBump step1. A rule with an "all" ACLs is the simplest example
> of that.
>
>
> HTH,
>
> Alex.
> P.S. I am getting an "Internal Server Error" when following the haproxy
> link in the original question, so I cannot map what that page says to
> the configurations above.
>
>
> > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:
> >
> >     On 27.09.23 16:48, Fernando Giorgetti wrote:
> >      >I would like to know if it is possible to set up Squid to perform
> >      >TLS passthrough to a given backend, relaying TLS encrypted
> >      >traffic to the backend, similarly to what HAProxy does below?
> >      >
> >      >
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> >
> >      >
> >      >I have tried a few different configurations using reverse proxy,
> >      >or peek and splice, but I could not make it work without providing
> >      >a valid HTTP request or a CONNECT request.
> >
> >     what's the difference between TCP redirect and this?
> >
> >     --
> >     Matus UHLAR - fantomas, uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     Warning: I wish NOT to receive e-mail advertising to this address.
> >     Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> >     Depression is merely anger without enthusiasm.
> >     _______________________________________________
> >     squid-users mailing list
> >     squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >     https://lists.squid-cache.org/listinfo/squid-users
> >     <https://lists.squid-cache.org/listinfo/squid-users>
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230928/b12a5768/attachment-0001.htm>


More information about the squid-users mailing list