[squid-users] TLS passthrough
Alex Rousskov
rousskov at measurement-factory.com
Thu Sep 28 16:02:52 UTC 2023
On 2023-09-28 11:31, Fernando Giorgetti wrote:
> And what should I do to let Squid use the SNI defined by the TLS client?
What do you want Squid to use that SNI for?
Alex.
> On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
>
> On 2023-09-28 09:06, Fernando Giorgetti wrote:
> > Hi Matus, do you mean something like a DNAT (iptables) rule?
> > If so, I would say, it should work as well.
> >
> > But this is an environment I do not control, and I have been told
> to try
> > using an existing squid installation to proxy non-http/TLS data
> through.
> >
> > I appreciate any guidance or recommendation.
>
>
> Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP port
> X) TCP traffic to its intended destination:
>
> https_port X intercept ssl-bump ...
> ssl_bump splice all
>
>
> Without interception, then Squid can only tunnel stuff inside HTTP
> CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y):
>
> http_port Y ssl-bump ...
> ssl_bump splice all
>
>
> In both cases, Squid does not care about the protocols that tunneled
> traffic is using. It could be HTTP, HTTPS, TLS, or anything else on top
> of TCP.
>
> Your ACLs may differ from "all" in the above sketches, of course,
> but if
> traffic is not TLS, then you want an "ssl_bump splice" rule that
> matches
> during SslBump step1. A rule with an "all" ACLs is the simplest example
> of that.
>
>
> HTH,
>
> Alex.
> P.S. I am getting an "Internal Server Error" when following the haproxy
> link in the original question, so I cannot map what that page says to
> the configurations above.
>
>
> > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:
> >
> > On 27.09.23 16:48, Fernando Giorgetti wrote:
> > >I would like to know if it is possible to set up Squid to
> perform
> > >TLS passthrough to a given backend, relaying TLS encrypted
> > >traffic to the backend, similarly to what HAProxy does below?
> > >
> >
> >https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> > >
> > >I have tried a few different configurations using reverse
> proxy,
> > >or peek and splice, but I could not make it work without
> providing
> > >a valid HTTP request or a CONNECT request.
> >
> > what's the difference between TCP redirect and this?
> >
> > --
> > Matus UHLAR - fantomas, uhlar at fantomas.sk
> <mailto:uhlar at fantomas.sk> <mailto:uhlar at fantomas.sk
> <mailto:uhlar at fantomas.sk>>
> > ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
> <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> > Warning: I wish NOT to receive e-mail advertising to this
> address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
> postu.
> > Depression is merely anger without enthusiasm.
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>>
> > https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
> > <https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>>
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
>
More information about the squid-users
mailing list