[squid-users] TLS passthrough
Fernando Giorgetti
fgiorgetti at gmail.com
Fri Sep 29 00:35:04 UTC 2023
>
> Bugs notwithstanding, none of the configuration
> sketches I shared previously will do that though.
Do you have any recommendations on how I could have it done?
When my tls client tries to reach the target through Squid, using
a "ssl_bump splice", it seems like squid is trying to reach itself in a
loop.
I have also tried including a peek first, but no luck.
Thanks again for all suggestions.
On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 2023-09-28 15:23, Fernando Giorgetti wrote:
>
> > Actually with the suggested blind passthrough, Squid would not handle
> > the TLS termination.
>
> Correct.
>
>
> > how will Squid know what the target is?
>
> In many cases, Squid can learn SNI by peeking at TLS ClientHello,
> without terminating TLS. Bugs notwithstanding, none of the configuration
> sketches I shared previously will do that though.
>
>
> HTH,
>
> Alex.
>
>
>
> > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
> >
> > On 2023-09-28 11:31, Fernando Giorgetti wrote:
> >
> > > And what should I do to let Squid use the SNI defined by the TLS
> > client?
> >
> > What do you want Squid to use that SNI for?
> >
> > Alex.
> >
> >
> > > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
> > >
> > > On 2023-09-28 09:06, Fernando Giorgetti wrote:
> > > > Hi Matus, do you mean something like a DNAT (iptables)
> rule?
> > > > If so, I would say, it should work as well.
> > > >
> > > > But this is an environment I do not control, and I have
> > been told
> > > to try
> > > > using an existing squid installation to proxy non-http/TLS
> > data
> > > through.
> > > >
> > > > I appreciate any guidance or recommendation.
> > >
> > >
> > > Bugs notwithstanding, Squid can blindly tunnel intercepted
> > (at TCP port
> > > X) TCP traffic to its intended destination:
> > >
> > > https_port X intercept ssl-bump ...
> > > ssl_bump splice all
> > >
> > >
> > > Without interception, then Squid can only tunnel stuff inside
> > HTTP
> > > CONNECT tunnels (for HTTP CONNECT requests received at TCP
> > port Y):
> > >
> > > http_port Y ssl-bump ...
> > > ssl_bump splice all
> > >
> > >
> > > In both cases, Squid does not care about the protocols that
> > tunneled
> > > traffic is using. It could be HTTP, HTTPS, TLS, or anything
> > else on top
> > > of TCP.
> > >
> > > Your ACLs may differ from "all" in the above sketches, of
> course,
> > > but if
> > > traffic is not TLS, then you want an "ssl_bump splice" rule
> that
> > > matches
> > > during SslBump step1. A rule with an "all" ACLs is the
> > simplest example
> > > of that.
> > >
> > >
> > > HTH,
> > >
> > > Alex.
> > > P.S. I am getting an "Internal Server Error" when following
> > the haproxy
> > > link in the original question, so I cannot map what that page
> > says to
> > > the configurations above.
> > >
> > >
> > > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas
> wrote:
> > > >
> > > > On 27.09.23 16:48, Fernando Giorgetti wrote:
> > > > >I would like to know if it is possible to set up
> > Squid to
> > > perform
> > > > >TLS passthrough to a given backend, relaying TLS
> > encrypted
> > > > >traffic to the backend, similarly to what HAProxy
> > does below?
> > > > >
> > > >
> > >
> > >
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> >>>
> > > > >
> > > > >I have tried a few different configurations using
> > reverse
> > > proxy,
> > > > >or peek and splice, but I could not make it work
> without
> > > providing
> > > > >a valid HTTP request or a CONNECT request.
> > > >
> > > > what's the difference between TCP redirect and this?
> > > >
> > > > --
> > > > Matus UHLAR - fantomas, uhlar at fantomas.sk
> > <mailto:uhlar at fantomas.sk>
> > > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
> > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> > > <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>
> > > > ; http://www.fantomas.sk/ <http://www.fantomas.sk/>
> > <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> > <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>
> > > > Warning: I wish NOT to receive e-mail advertising to
> this
> > > address.
> > > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek
> > reklamnu
> > > postu.
> > > > Depression is merely anger without enthusiasm.
> > > > _______________________________________________
> > > > squid-users mailing list
> > > > squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>
> > > <mailto:squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>>
> > > > <mailto:squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>
> > > <mailto:squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>>>
> > > > https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>
> > > <https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>>
> > > > <https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>
> > > <https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>>>
> > > >
> > > >
> > > > _______________________________________________
> > > > squid-users mailing list
> > > > squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>
> > > <mailto:squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>>
> > > > https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>
> > > <https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>>
> > >
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>
> > > <mailto:squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>>
> > > https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>
> > > <https://lists.squid-cache.org/listinfo/squid-users
> > <https://lists.squid-cache.org/listinfo/squid-users>>
> > >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230928/8f946900/attachment-0001.htm>
More information about the squid-users
mailing list