[squid-users] TLS passthrough

Fernando Giorgetti fgiorgetti at gmail.com
Thu Sep 28 19:23:27 UTC 2023


Actually with the suggested blind passthrough, Squid would not handle the
TLS termination.
So without a reverse proxy (accel mode), how will Squid know what the
target is?

On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 2023-09-28 11:31, Fernando Giorgetti wrote:
>
> > And what should I do to let Squid use the SNI defined by the TLS client?
>
> What do you want Squid to use that SNI for?
>
> Alex.
>
>
> > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
> >
> >     On 2023-09-28 09:06, Fernando Giorgetti wrote:
> >      > Hi Matus, do you mean something like a DNAT (iptables) rule?
> >      > If so, I would say, it should work as well.
> >      >
> >      > But this is an environment I do not control, and I have been told
> >     to try
> >      > using an existing squid installation to proxy non-http/TLS data
> >     through.
> >      >
> >      > I appreciate any guidance or recommendation.
> >
> >
> >     Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP
> port
> >     X) TCP traffic to its intended destination:
> >
> >           https_port X intercept ssl-bump ...
> >           ssl_bump splice all
> >
> >
> >     Without interception, then Squid can only tunnel stuff inside HTTP
> >     CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y):
> >
> >           http_port Y ssl-bump ...
> >           ssl_bump splice all
> >
> >
> >     In both cases, Squid does not care about the protocols that tunneled
> >     traffic is using. It could be HTTP, HTTPS, TLS, or anything else on
> top
> >     of TCP.
> >
> >     Your ACLs may differ from "all" in the above sketches, of course,
> >     but if
> >     traffic is not TLS, then you want an "ssl_bump splice" rule that
> >     matches
> >     during SslBump step1. A rule with an "all" ACLs is the simplest
> example
> >     of that.
> >
> >
> >     HTH,
> >
> >     Alex.
> >     P.S. I am getting an "Internal Server Error" when following the
> haproxy
> >     link in the original question, so I cannot map what that page says to
> >     the configurations above.
> >
> >
> >      > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:
> >      >
> >      >     On 27.09.23 16:48, Fernando Giorgetti wrote:
> >      >      >I would like to know if it is possible to set up Squid to
> >     perform
> >      >      >TLS passthrough to a given backend, relaying TLS encrypted
> >      >      >traffic to the backend, similarly to what HAProxy does
> below?
> >      >      >
> >      >
> >      >
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> >>
> >      >      >
> >      >      >I have tried a few different configurations using reverse
> >     proxy,
> >      >      >or peek and splice, but I could not make it work without
> >     providing
> >      >      >a valid HTTP request or a CONNECT request.
> >      >
> >      >     what's the difference between TCP redirect and this?
> >      >
> >      >     --
> >      >     Matus UHLAR - fantomas, uhlar at fantomas.sk
> >     <mailto:uhlar at fantomas.sk> <mailto:uhlar at fantomas.sk
> >     <mailto:uhlar at fantomas.sk>>
> >      >     ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> >      >     Warning: I wish NOT to receive e-mail advertising to this
> >     address.
> >      >     Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
> >     postu.
> >      >     Depression is merely anger without enthusiasm.
> >      >     _______________________________________________
> >      >     squid-users mailing list
> >      > squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >      >     <mailto:squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>>
> >      > https://lists.squid-cache.org/listinfo/squid-users
> >     <https://lists.squid-cache.org/listinfo/squid-users>
> >      >     <https://lists.squid-cache.org/listinfo/squid-users
> >     <https://lists.squid-cache.org/listinfo/squid-users>>
> >      >
> >      >
> >      > _______________________________________________
> >      > squid-users mailing list
> >      > squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >      > https://lists.squid-cache.org/listinfo/squid-users
> >     <https://lists.squid-cache.org/listinfo/squid-users>
> >
> >     _______________________________________________
> >     squid-users mailing list
> >     squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >     https://lists.squid-cache.org/listinfo/squid-users
> >     <https://lists.squid-cache.org/listinfo/squid-users>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230928/c41c5485/attachment.htm>


More information about the squid-users mailing list