[squid-users] TLS passthrough
Alex Rousskov
rousskov at measurement-factory.com
Thu Sep 28 22:23:05 UTC 2023
On 2023-09-28 15:23, Fernando Giorgetti wrote:
> Actually with the suggested blind passthrough, Squid would not handle
> the TLS termination.
Correct.
> how will Squid know what the target is?
In many cases, Squid can learn SNI by peeking at TLS ClientHello,
without terminating TLS. Bugs notwithstanding, none of the configuration
sketches I shared previously will do that though.
HTH,
Alex.
> On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
>
> On 2023-09-28 11:31, Fernando Giorgetti wrote:
>
> > And what should I do to let Squid use the SNI defined by the TLS
> client?
>
> What do you want Squid to use that SNI for?
>
> Alex.
>
>
> > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
> >
> > On 2023-09-28 09:06, Fernando Giorgetti wrote:
> > > Hi Matus, do you mean something like a DNAT (iptables) rule?
> > > If so, I would say, it should work as well.
> > >
> > > But this is an environment I do not control, and I have
> been told
> > to try
> > > using an existing squid installation to proxy non-http/TLS
> data
> > through.
> > >
> > > I appreciate any guidance or recommendation.
> >
> >
> > Bugs notwithstanding, Squid can blindly tunnel intercepted
> (at TCP port
> > X) TCP traffic to its intended destination:
> >
> > https_port X intercept ssl-bump ...
> > ssl_bump splice all
> >
> >
> > Without interception, then Squid can only tunnel stuff inside
> HTTP
> > CONNECT tunnels (for HTTP CONNECT requests received at TCP
> port Y):
> >
> > http_port Y ssl-bump ...
> > ssl_bump splice all
> >
> >
> > In both cases, Squid does not care about the protocols that
> tunneled
> > traffic is using. It could be HTTP, HTTPS, TLS, or anything
> else on top
> > of TCP.
> >
> > Your ACLs may differ from "all" in the above sketches, of course,
> > but if
> > traffic is not TLS, then you want an "ssl_bump splice" rule that
> > matches
> > during SslBump step1. A rule with an "all" ACLs is the
> simplest example
> > of that.
> >
> >
> > HTH,
> >
> > Alex.
> > P.S. I am getting an "Internal Server Error" when following
> the haproxy
> > link in the original question, so I cannot map what that page
> says to
> > the configurations above.
> >
> >
> > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:
> > >
> > > On 27.09.23 16:48, Fernando Giorgetti wrote:
> > > >I would like to know if it is possible to set up
> Squid to
> > perform
> > > >TLS passthrough to a given backend, relaying TLS
> encrypted
> > > >traffic to the backend, similarly to what HAProxy
> does below?
> > > >
> > >
> >
> >https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>>
> > > >
> > > >I have tried a few different configurations using
> reverse
> > proxy,
> > > >or peek and splice, but I could not make it work without
> > providing
> > > >a valid HTTP request or a CONNECT request.
> > >
> > > what's the difference between TCP redirect and this?
> > >
> > > --
> > > Matus UHLAR - fantomas, uhlar at fantomas.sk
> <mailto:uhlar at fantomas.sk>
> > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
> <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>
> > > ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
> <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> > <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>
> > > Warning: I wish NOT to receive e-mail advertising to this
> > address.
> > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek
> reklamnu
> > postu.
> > > Depression is merely anger without enthusiasm.
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>>
> > > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>>>
> > > https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
> > <https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>>
> > > <https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
> > <https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>>>
> > >
> > >
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>>
> > > https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
> > <https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>>
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>>
> > https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
> > <https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>>
> >
>
More information about the squid-users
mailing list