[squid-users] TLS passthrough

Alex Rousskov rousskov at measurement-factory.com
Fri Sep 29 02:39:16 UTC 2023


On 2023-09-28 20:35, Fernando Giorgetti wrote:

> Do you have any recommendations on how I could have it done?

I am unable to confirm whether Squid can do what you want or provide 
configuration recommendations because I do not yet know how your Squid 
will receive traffic (e.g., an intercepting proxy or an explicit forward 
HTTP proxy), what traffic Squid will receive (e.g., TLS, plain HTTP, 
something else), and what you want Squid to do with that traffic.

To make progress, I recommend describing the above details (for one 
typical use case?) and then answering any followup questions.


Cheers,

Alex.


> When my tls client tries to reach the target through Squid, using
> a "ssl_bump splice", it seems like squid is trying to reach itself in a 
> loop.
> 
> I have also tried including a peek first, but no luck.
> 
> Thanks again for all suggestions.
> 
> On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov wrote:
> 
>     On 2023-09-28 15:23, Fernando Giorgetti wrote:
> 
>      > Actually with the suggested blind passthrough, Squid would not
>     handle
>      > the TLS termination.
> 
>     Correct.
> 
> 
>      > how will Squid know what the target is?
> 
>     In many cases, Squid can learn SNI by peeking at TLS ClientHello,
>     without terminating TLS. Bugs notwithstanding, none of the
>     configuration
>     sketches I shared previously will do that though.
> 
> 
>     HTH,
> 
>     Alex.
> 
> 
> 
>      > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
>      >
>      >     On 2023-09-28 11:31, Fernando Giorgetti wrote:
>      >
>      >      > And what should I do to let Squid use the SNI defined by
>     the TLS
>      >     client?
>      >
>      >     What do you want Squid to use that SNI for?
>      >
>      >     Alex.
>      >
>      >
>      >      > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
>      >      >
>      >      >     On 2023-09-28 09:06, Fernando Giorgetti wrote:
>      >      >      > Hi Matus, do you mean something like a DNAT
>     (iptables) rule?
>      >      >      > If so, I would say, it should work as well.
>      >      >      >
>      >      >      > But this is an environment I do not control, and I have
>      >     been told
>      >      >     to try
>      >      >      > using an existing squid installation to proxy
>     non-http/TLS
>      >     data
>      >      >     through.
>      >      >      >
>      >      >      > I appreciate any guidance or recommendation.
>      >      >
>      >      >
>      >      >     Bugs notwithstanding, Squid can blindly tunnel intercepted
>      >     (at TCP port
>      >      >     X) TCP traffic to its intended destination:
>      >      >
>      >      >           https_port X intercept ssl-bump ...
>      >      >           ssl_bump splice all
>      >      >
>      >      >
>      >      >     Without interception, then Squid can only tunnel stuff
>     inside
>      >     HTTP
>      >      >     CONNECT tunnels (for HTTP CONNECT requests received at TCP
>      >     port Y):
>      >      >
>      >      >           http_port Y ssl-bump ...
>      >      >           ssl_bump splice all
>      >      >
>      >      >
>      >      >     In both cases, Squid does not care about the protocols
>     that
>      >     tunneled
>      >      >     traffic is using. It could be HTTP, HTTPS, TLS, or
>     anything
>      >     else on top
>      >      >     of TCP.
>      >      >
>      >      >     Your ACLs may differ from "all" in the above sketches,
>     of course,
>      >      >     but if
>      >      >     traffic is not TLS, then you want an "ssl_bump splice"
>     rule that
>      >      >     matches
>      >      >     during SslBump step1. A rule with an "all" ACLs is the
>      >     simplest example
>      >      >     of that.
>      >      >
>      >      >
>      >      >     HTH,
>      >      >
>      >      >     Alex.
>      >      >     P.S. I am getting an "Internal Server Error" when
>     following
>      >     the haproxy
>      >      >     link in the original question, so I cannot map what
>     that page
>      >     says to
>      >      >     the configurations above.
>      >      >
>      >      >
>      >      >      > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR -
>     fantomas wrote:
>      >      >      >
>      >      >      >     On 27.09.23 16:48, Fernando Giorgetti wrote:
>      >      >      >      >I would like to know if it is possible to set up
>      >     Squid to
>      >      >     perform
>      >      >      >      >TLS passthrough to a given backend, relaying TLS
>      >     encrypted
>      >      >      >      >traffic to the backend, similarly to what HAProxy
>      >     does below?
>      >      >      >      >
>      >      >      >
>      >      >
>      >     
>      >https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough <https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>>>
>      >      >      >      >
>      >      >      >      >I have tried a few different configurations using
>      >     reverse
>      >      >     proxy,
>      >      >      >      >or peek and splice, but I could not make it
>     work without
>      >      >     providing
>      >      >      >      >a valid HTTP request or a CONNECT request.
>      >      >      >
>      >      >      >     what's the difference between TCP redirect and
>     this?
>      >      >      >
>      >      >      >     --
>      >      >      >     Matus UHLAR - fantomas, uhlar at fantomas.sk
>     <mailto:uhlar at fantomas.sk>
>      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
>      >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
>     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>
>      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
>     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
>      >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
>     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>>
>      >      >      >     ; http://www.fantomas.sk/
>     <http://www.fantomas.sk/> <http://www.fantomas.sk/
>     <http://www.fantomas.sk/>>
>      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
>     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>
>      >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
>     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
>      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
>     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>>
>      >      >      >     Warning: I wish NOT to receive e-mail
>     advertising to this
>      >      >     address.
>      >      >      >     Varovanie: na tuto adresu chcem NEDOSTAVAT
>     akukolvek
>      >     reklamnu
>      >      >     postu.
>      >      >      >     Depression is merely anger without enthusiasm.
>      >      >      >     _______________________________________________




More information about the squid-users mailing list