[squid-users] TLS passthrough

Fernando Giorgetti fgiorgetti at gmail.com
Fri Sep 29 14:55:22 UTC 2023


>
> Do you control the client application? If yes, then perhaps it can be
> adjusted to support HTTP proxies? In other words, the client will send a
> plain text HTTP CONNECT request to Squid and, upon receiving a 200
> (Connection Established) response headers, will start using TLS with the
> origin server. In this case, you do not need interception.


Nope, the client application is also used to communicate with other apps in
other environments. The SNI has to be used as the client/server apps perform
mutual TLS authentication.

In other words, the client will send a
> plain text HTTP CONNECT request to Squid and, upon receiving a 200
> (Connection Established) response headers, will start using TLS with the
> origin server. In this case, you do not need interception.


In order to evaluate if we can use Squid for this purpose, I have also
created a
basic TLS client/server app to validate what is happening. Basically my TLS
client
tries to connect directly to Squid IP/Port and I am indicating the SNI so
that the
TLS handshake passes.

Using a reverse I was able to make it reach the TLS server after faking a
CONNECT
request. But without a fake CONNECT or a valid HTTP request it failed.

When I tried to make it work using a forward proxy with intercept and
ssl_bump, I
could not make Squid peek at the SNI and tunnel the request to the correct
destination.

Fernando

On Fri, Sep 29, 2023 at 11:35 AM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 2023-09-29 09:17, Fernando Giorgetti wrote:
>
> > Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS
> > data, as we have a restricted environment where Squid is currently the
> > only way to get out to the internet.
>
> Yes, Squid can tunnel non-HTTP data, including TLS data.
>
>
> > The idea is that the client application will open a connection to a given
> > hostname and port (setting the SNI in the TLS options), considering that
> > the given hostname/port is the actual backend they're trying to reach.
>
> Do you control the client application? If yes, then perhaps it can be
> adjusted to support HTTP proxies? In other words, the client will send a
> plain text HTTP CONNECT request to Squid and, upon receiving a 200
> (Connection Established) response headers, will start using TLS with the
> origin server. In this case, you do not need interception.
>
>
> > We can either try to use a fake hostname (defined in the /etc/hosts of
> the
> > tls client machine) which would actually point to Squid's IP
>
> AFAICT, faking the IP address will not work without Squid source code
> modifications because a non-intercepting Squid https_port will want to
> terminate TLS -- such a port does not support blindly tunneling traffic.
>
>
> > or eventually
> > redirect traffic to the real destination into Squid using a DNAT rule.
>
> I am not a DNAT expert, but this sounds like interception to me. Bugs
> notwithstanding, Squid supports blind tunneling of intercepted TCP
> connections (to their intended destination):
>
>      https_port X intercept ssl-bump ...
>      ssl_bump splice all
>
> On a successful tunneling path, the above configuration does not care
> whether the intercepted traffic is TLS and will not peek at TLS SNI, but
> nothing in your requirements necessitates SNI knowledge AFAICT.
>
> If Squid fails to establish a TCP connection to the intended destination
> of the intercepted connection, then the situation becomes more complex:
> Squid (with the above configuration) assumes that the client is speaking
> TLS. Squid will attempt to bump the TLS client connection and send a
> Squid-generated HTTP error response to the client. AFAIK, this bumping
> and error sending attempt cannot be prevented in this case without Squid
> source code modifications: Squid used to be able to terminate a
> client-Squid connection instead of sending a Squid-generated HTTP error
> response (by replacing the corresponding Squid error page contents with
> a word "reset"). However, that feature was accidentally(?) dropped in
> 2002 commit 76cdc28 AFAICT.
>
>
> HTH,
>
> Alex.
>
>
> > But overall, it will be a 1:1 relationship, meaning, the https_port on
> Squid
> > would be used exclusively to this purpose of proxying from a given source
> > to a given destination.
> >
> > That is why I was considering a reverse-proxy, but I had no luck with it
> > (actually
> > I was able to proxy HTTP/HTTPS, but not non-http).
> >
> > Thank you again,
> > Fernando
> >
> > On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov
> > <rousskov at measurement-factory.com
> > <mailto:rousskov at measurement-factory.com>> wrote:
> >
> >     On 2023-09-28 20:35, Fernando Giorgetti wrote:
> >
> >      > Do you have any recommendations on how I could have it done?
> >
> >     I am unable to confirm whether Squid can do what you want or provide
> >     configuration recommendations because I do not yet know how your
> Squid
> >     will receive traffic (e.g., an intercepting proxy or an explicit
> >     forward
> >     HTTP proxy), what traffic Squid will receive (e.g., TLS, plain HTTP,
> >     something else), and what you want Squid to do with that traffic.
> >
> >     To make progress, I recommend describing the above details (for one
> >     typical use case?) and then answering any followup questions.
> >
> >
> >     Cheers,
> >
> >     Alex.
> >
> >
> >      > When my tls client tries to reach the target through Squid, using
> >      > a "ssl_bump splice", it seems like squid is trying to reach
> >     itself in a
> >      > loop.
> >      >
> >      > I have also tried including a peek first, but no luck.
> >      >
> >      > Thanks again for all suggestions.
> >      >
> >      > On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov wrote:
> >      >
> >      >     On 2023-09-28 15:23, Fernando Giorgetti wrote:
> >      >
> >      >      > Actually with the suggested blind passthrough, Squid would
> not
> >      >     handle
> >      >      > the TLS termination.
> >      >
> >      >     Correct.
> >      >
> >      >
> >      >      > how will Squid know what the target is?
> >      >
> >      >     In many cases, Squid can learn SNI by peeking at TLS
> ClientHello,
> >      >     without terminating TLS. Bugs notwithstanding, none of the
> >      >     configuration
> >      >     sketches I shared previously will do that though.
> >      >
> >      >
> >      >     HTH,
> >      >
> >      >     Alex.
> >      >
> >      >
> >      >
> >      >      > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
> >      >      >
> >      >      >     On 2023-09-28 11:31, Fernando Giorgetti wrote:
> >      >      >
> >      >      >      > And what should I do to let Squid use the SNI
> >     defined by
> >      >     the TLS
> >      >      >     client?
> >      >      >
> >      >      >     What do you want Squid to use that SNI for?
> >      >      >
> >      >      >     Alex.
> >      >      >
> >      >      >
> >      >      >      > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov
> wrote:
> >      >      >      >
> >      >      >      >     On 2023-09-28 09:06, Fernando Giorgetti wrote:
> >      >      >      >      > Hi Matus, do you mean something like a DNAT
> >      >     (iptables) rule?
> >      >      >      >      > If so, I would say, it should work as well.
> >      >      >      >      >
> >      >      >      >      > But this is an environment I do not control,
> >     and I have
> >      >      >     been told
> >      >      >      >     to try
> >      >      >      >      > using an existing squid installation to proxy
> >      >     non-http/TLS
> >      >      >     data
> >      >      >      >     through.
> >      >      >      >      >
> >      >      >      >      > I appreciate any guidance or recommendation.
> >      >      >      >
> >      >      >      >
> >      >      >      >     Bugs notwithstanding, Squid can blindly tunnel
> >     intercepted
> >      >      >     (at TCP port
> >      >      >      >     X) TCP traffic to its intended destination:
> >      >      >      >
> >      >      >      >           https_port X intercept ssl-bump ...
> >      >      >      >           ssl_bump splice all
> >      >      >      >
> >      >      >      >
> >      >      >      >     Without interception, then Squid can only
> >     tunnel stuff
> >      >     inside
> >      >      >     HTTP
> >      >      >      >     CONNECT tunnels (for HTTP CONNECT requests
> >     received at TCP
> >      >      >     port Y):
> >      >      >      >
> >      >      >      >           http_port Y ssl-bump ...
> >      >      >      >           ssl_bump splice all
> >      >      >      >
> >      >      >      >
> >      >      >      >     In both cases, Squid does not care about the
> >     protocols
> >      >     that
> >      >      >     tunneled
> >      >      >      >     traffic is using. It could be HTTP, HTTPS, TLS,
> or
> >      >     anything
> >      >      >     else on top
> >      >      >      >     of TCP.
> >      >      >      >
> >      >      >      >     Your ACLs may differ from "all" in the above
> >     sketches,
> >      >     of course,
> >      >      >      >     but if
> >      >      >      >     traffic is not TLS, then you want an "ssl_bump
> >     splice"
> >      >     rule that
> >      >      >      >     matches
> >      >      >      >     during SslBump step1. A rule with an "all" ACLs
> >     is the
> >      >      >     simplest example
> >      >      >      >     of that.
> >      >      >      >
> >      >      >      >
> >      >      >      >     HTH,
> >      >      >      >
> >      >      >      >     Alex.
> >      >      >      >     P.S. I am getting an "Internal Server Error"
> when
> >      >     following
> >      >      >     the haproxy
> >      >      >      >     link in the original question, so I cannot map
> what
> >      >     that page
> >      >      >     says to
> >      >      >      >     the configurations above.
> >      >      >      >
> >      >      >      >
> >      >      >      >      > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR -
> >      >     fantomas wrote:
> >      >      >      >      >
> >      >      >      >      >     On 27.09.23 16:48, Fernando Giorgetti
> wrote:
> >      >      >      >      >      >I would like to know if it is possible
> >     to set up
> >      >      >     Squid to
> >      >      >      >     perform
> >      >      >      >      >      >TLS passthrough to a given backend,
> >     relaying TLS
> >      >      >     encrypted
> >      >      >      >      >      >traffic to the backend, similarly to
> >     what HAProxy
> >      >      >     does below?
> >      >      >      >      >      >
> >      >      >      >      >
> >      >      >      >
> >      >      >
> >      >
> >      >
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> <
> https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
> >>>>>
> >      >      >      >      >      >
> >      >      >      >      >      >I have tried a few different
> >     configurations using
> >      >      >     reverse
> >      >      >      >     proxy,
> >      >      >      >      >      >or peek and splice, but I could not
> >     make it
> >      >     work without
> >      >      >      >     providing
> >      >      >      >      >      >a valid HTTP request or a CONNECT
> request.
> >      >      >      >      >
> >      >      >      >      >     what's the difference between TCP
> >     redirect and
> >      >     this?
> >      >      >      >      >
> >      >      >      >      >     --
> >      >      >      >      >     Matus UHLAR - fantomas,
> >     uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
> >      >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>
> >      >      >      >     <mailto:uhlar at fantomas.sk
> >     <mailto:uhlar at fantomas.sk> <mailto:uhlar at fantomas.sk
> >     <mailto:uhlar at fantomas.sk>>
> >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>>
> >      >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>
> >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>
> >      >      >      >     <mailto:uhlar at fantomas.sk
> >     <mailto:uhlar at fantomas.sk> <mailto:uhlar at fantomas.sk
> >     <mailto:uhlar at fantomas.sk>>
> >      >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>
> >     <mailto:uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>>>>>
> >      >      >      >      >     ; http://www.fantomas.sk/
> >     <http://www.fantomas.sk/>
> >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>
> >      >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>>
> >      >      >      >     <http://www.fantomas.sk/
> >     <http://www.fantomas.sk/> <http://www.fantomas.sk/
> >     <http://www.fantomas.sk/>>
> >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>
> >      >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>
> >      >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>
> >     <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>>>
> >      >      >      >      >     Warning: I wish NOT to receive e-mail
> >      >     advertising to this
> >      >      >      >     address.
> >      >      >      >      >     Varovanie: na tuto adresu chcem
> NEDOSTAVAT
> >      >     akukolvek
> >      >      >     reklamnu
> >      >      >      >     postu.
> >      >      >      >      >     Depression is merely anger without
> >     enthusiasm.
> >      >      >      >      >
> >       _______________________________________________
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230929/08764da8/attachment-0001.htm>


More information about the squid-users mailing list