[squid-users] TLS passthrough

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 28 22:23:05 UTC 2023 

On 2023-09-28 15:23, Fernando Giorgetti wrote:

> Actually with the suggested blind passthrough, Squid would not handle 
> the TLS termination.

Correct.


> how will Squid know what the target is?

In many cases, Squid can learn SNI by peeking at TLS ClientHello, 
without terminating TLS. Bugs notwithstanding, none of the configuration 
sketches I shared previously will do that though.


HTH,

Alex.



> On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
> 
>     On 2023-09-28 11:31, Fernando Giorgetti wrote:
> 
>      > And what should I do to let Squid use the SNI defined by the TLS
>     client?
> 
>     What do you want Squid to use that SNI for?
> 
>     Alex.
> 
> 
>      > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
>      >
>      >     On 2023-09-28 09:06, Fernando Giorgetti wrote:
>      >      > Hi Matus, do you mean something like a DNAT (iptables) rule?
>      >      > If so, I would say, it should work as well.
>      >      >
>      >      > But this is an environment I do not control, and I have
>     been told
>      >     to try
>      >      > using an existing squid installation to proxy non-http/TLS
>     data
>      >     through.
>      >      >
>      >      > I appreciate any guidance or recommendation.
>      >
>      >
>      >     Bugs notwithstanding, Squid can blindly tunnel intercepted
>     (at TCP port
>      >     X) TCP traffic to its intended destination:
>      >
>      >           https_port X intercept ssl-bump ...
>      >           ssl_bump splice all
>      >
>      >
>      >     Without interception, then Squid can only tunnel stuff inside
>     HTTP
>      >     CONNECT tunnels (for HTTP CONNECT requests received at TCP
>     port Y):
>      >
>      >           http_port Y ssl-bump ...
>      >           ssl_bump splice all
>      >
>      >
>      >     In both cases, Squid does not care about the protocols that
>     tunneled
>      >     traffic is using. It could be HTTP, HTTPS, TLS, or anything
>     else on top
>      >     of TCP.
>      >
>      >     Your ACLs may differ from "all" in the above sketches, of course,
>      >     but if
>      >     traffic is not TLS, then you want an "ssl_bump splice" rule that
>      >     matches
>      >     during SslBump step1. A rule with an "all" ACLs is the
>     simplest example
>      >     of that.
>      >
>      >
>      >     HTH,
>      >
>      >     Alex.
>      >     P.S. I am getting an "Internal Server Error" when following
>     the haproxy
>      >     link in the original question, so I cannot map what that page
>     says to
>      >     the configurations above.
>      >
>      >
>      >      > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote:
>      >      >
>      >      >     On 27.09.23 16:48, Fernando Giorgetti wrote:
>      >      >      >I would like to know if it is possible to set up
>     Squid to
>      >     perform
>      >      >      >TLS passthrough to a given backend, relaying TLS
>     encrypted
>      >      >      >traffic to the backend, similarly to what HAProxy
>     does below?
>      >      >      >
>      >      >
>      >     
>      >https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>>
>      >      >      >
>      >      >      >I have tried a few different configurations using
>     reverse
>      >     proxy,
>      >      >      >or peek and splice, but I could not make it work without
>      >     providing
>      >      >      >a valid HTTP request or a CONNECT request.
>      >      >
>      >      >     what's the difference between TCP redirect and this?
>      >      >
>      >      >     --
>      >      >     Matus UHLAR - fantomas, uhlar at fantomas.sk
>     <mailto:uhlar at fantomas.sk>
>      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
>     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
>      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>
>      >      >     ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
>     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
>      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
>     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>
>      >      >     Warning: I wish NOT to receive e-mail advertising to this
>      >     address.
>      >      >     Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek
>     reklamnu
>      >     postu.
>      >      >     Depression is merely anger without enthusiasm.
>      >      >     _______________________________________________
>      >      >     squid-users mailing list
>      >      > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>      >     <mailto:squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>>
>      >      >     <mailto:squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>      >     <mailto:squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>>>
>      >      > https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
>      >     <https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>>
>      >      >     <https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
>      >     <https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>>>
>      >      >
>      >      >
>      >      > _______________________________________________
>      >      > squid-users mailing list
>      >      > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>      >     <mailto:squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>>
>      >      > https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
>      >     <https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>>
>      >
>      >     _______________________________________________
>      >     squid-users mailing list
>      > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>      >     <mailto:squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>>
>      > https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
>      >     <https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>>
>      >
>

More information about the squid-users mailing list