[squid-users] TLS passthrough

Fernando Giorgetti fgiorgetti at gmail.com
Fri Sep 29 13:17:27 UTC 2023


Hello Alex,

First of all, thanks for your attention and time.

Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS
data, as we have a restricted environment where Squid is currently the
only way to get out to the internet.

The idea is that the client application will open a connection to a given
hostname and port (setting the SNI in the TLS options), considering that
the given hostname/port is the actual backend they're trying to reach.

We can either try to use a fake hostname (defined in the /etc/hosts of the
tls client machine) which would actually point to Squid's IP or eventually
redirect traffic to the real destination into Squid using a DNAT rule.

But overall, it will be a 1:1 relationship, meaning, the https_port on Squid
would be used exclusively to this purpose of proxying from a given source
to a given destination.

That is why I was considering a reverse-proxy, but I had no luck with it
(actually
I was able to proxy HTTP/HTTPS, but not non-http).

Thank you again,
Fernando

On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 2023-09-28 20:35, Fernando Giorgetti wrote:
>
> > Do you have any recommendations on how I could have it done?
>
> I am unable to confirm whether Squid can do what you want or provide
> configuration recommendations because I do not yet know how your Squid
> will receive traffic (e.g., an intercepting proxy or an explicit forward
> HTTP proxy), what traffic Squid will receive (e.g., TLS, plain HTTP,
> something else), and what you want Squid to do with that traffic.
>
> To make progress, I recommend describing the above details (for one
> typical use case?) and then answering any followup questions.
>
>
> Cheers,
>
> Alex.
>
>
> > When my tls client tries to reach the target through Squid, using
> > a "ssl_bump splice", it seems like squid is trying to reach itself in a
> > loop.
> >
> > I have also tried including a peek first, but no luck.
> >
> > Thanks again for all suggestions.
> >
> > On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov wrote:
> >
> >     On 2023-09-28 15:23, Fernando Giorgetti wrote:
> >
> >      > Actually with the suggested blind passthrough, Squid would not
> >     handle
> >      > the TLS termination.
> >
> >     Correct.
> >
> >
> >      > how will Squid know what the target is?
> >
> >     In many cases, Squid can learn SNI by peeking at TLS ClientHello,
> >     without terminating TLS. Bugs notwithstanding, none of the
> >     configuration
> >     sketches I shared previously will do that though.
> >
> >
> >     HTH,
> >
> >     Alex.
> >
> >
> >
> >      > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
> >      >
> >      >     On 2023-09-28 11:31, Fernando Giorgetti wrote:
> >      >
> >      >      > And what should I do to let Squid use the SNI defined by
> >     the TLS
> >      >     client?
> >      >
> >      >     What do you want Squid to use that SNI for?
> >      >
> >      >     Alex.
> >      >
> >      >
> >      >      > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
> >      >      >
> >      >      >     On 2023-09-28 09:06, Fernando Giorgetti wrote:
> >      >      >      > Hi Matus, do you mean something like a DNAT
> >     (iptables) rule?
> >      >      >      > If so, I would say, it should work as well.
> >      >      >      >
> >      >      >      > But this is an environment I do not control, and I
> have
> >      >     been told
> >      >      >     to try
> >      >      >      > using an existing squid installation to proxy
> >     non-http/TLS
> >      >     data
> >      >      >     through.
> >      >      >      >
> >      >      >      > I appreciate any guidance or recommendation.
> >      >      >
> >      >      >
> >      >      >     Bugs notwithstanding, Squid can blindly tunnel
> intercepted
> >      >     (at TCP port
> >      >      >     X) TCP traffic to its intended destination:
> >      >      >
> >      >      >           https_port X intercept ssl-bump ...
> >      >      >           ssl_bump splice all
> >      >      >
> >      >      >
> >      >      >     Without interception, then Squid can only tunnel stuff
> >     inside
> >      >     HTTP
> >      >      >     CONNECT tunnels (for HTTP CONNECT requests received at
> TCP
> >      >     port Y):
> >      >      >
> >      >      >           http_port Y ssl-bump ...
> >      >      >           ssl_bump splice all
> >      >      >
> >      >      >
> >      >      >     In both cases, Squid does not care about the protocols
> >     that
> >      >     tunneled
> >      >      >     traffic is using. It could be HTTP, HTTPS, TLS, or
> >     anything
> >      >     else on top
> >      >      >     of TCP.
> >      >      >
> >      >      >     Your ACLs may differ from "all" in the above sketches,
> >     of course,
> >      >      >     but if
> >      >      >     traffic is not TLS, then you want an "ssl_bump splice"
> >     rule that
> >      >      >     matches
> >      >      >     during SslBump step1. A rule with an "all" ACLs is the
> >      >     simplest example
> >      >      >     of that.
> >      >      >
> >      >      >
> >      >      >     HTH,
> >      >      >
> >      >      >     Alex.
> >      >      >     P.S. I am getting an "Internal Server Error" when
> >     following
> >      >     the haproxy
> >      >      >     link in the original question, so I cannot map what
> >     that page
> >      >     says to
> >      >      >     the configurations above.
> >      >      >
> >      >      >
> >      >      >      > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR -
> >     fantomas wrote:
> >      >      >      >
> >      >      >      >     On 27.09.23 16:48, Fernando Giorgetti wrote:
> >      >      >      >      >I would like to know if it is possible to set
> up
> >      >     Squid to
> >      >      >     perform
> >      >      >      >      >TLS passthrough to a given backend, relaying
> TLS
> >      >     encrypted
> >      >      >      >      >traffic to the backend, similarly to what
> HAProxy
> >      >     does below?
> >      >      >      >      >
> >      >      >      >
> >      >      >
> >      >
> >      >
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> >>>>
> >      >      >      >      >
> >      >      >      >      >I have tried a few different configurations
> using
> >      >     reverse
> >      >      >     proxy,
> >      >      >      >      >or peek and splice, but I could not make it
> >     work without
> >      >      >     providing
> >      >      >      >      >a valid HTTP request or a CONNECT request.
> >      >      >      >
> >      >      >      >     what's the difference between TCP redirect and
> >     this?
> >      >      >      >
> >      >      >      >     --
> >      >      >      >     Matus UHLAR - fantomas, uhlar at fantomas.sk
> >     <mailto:uhlar at fantomas.sk>
> >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
> >      >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>
> >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
> >      >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>>
> >      >      >      >     ; http://www.fantomas.sk/
> >     <http://www.fantomas.sk/> <http://www.fantomas.sk/
> >     <http://www.fantomas.sk/>>
> >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>
> >      >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>>
> >      >      >      >     Warning: I wish NOT to receive e-mail
> >     advertising to this
> >      >      >     address.
> >      >      >      >     Varovanie: na tuto adresu chcem NEDOSTAVAT
> >     akukolvek
> >      >     reklamnu
> >      >      >     postu.
> >      >      >      >     Depression is merely anger without enthusiasm.
> >      >      >      >     _______________________________________________
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230929/27f629c4/attachment-0001.htm>


More information about the squid-users mailing list