[squid-users] Squid as http to https forward proxy

Alex Rousskov rousskov at measurement-factory.com
Thu Jul 4 16:36:35 UTC 2024 

On 2024-07-04 10:58, Matus UHLAR - fantomas wrote:
>> On 2024-07-04 09:20, Wagner, Juergen03 wrote:
>>> we are evaluating Squid to be used as a http to https forward proxy.
>>>
>>> So Squid would need to support the following setup:
>>>
>>>     http (client)    ---->   Squid  --->  https ( server )
>>>
>>> Could someone please confirm if the given setup is in principle 
>>> possible with Squid?
>>>
>>> If yes, which configuration needs to be done?
> 
> On 04.07.24 10:36, Alex Rousskov wrote:
>>    Yes, Squid should be able to forward plain text HTTP requests to a 
>> secure server. Use cache_peer directive with "tls" and "originserver" 
>> flags. Here is an untested sketch:
>>
>>    # routing all traffic to one HTTPS origin server
>>    cache_peer 127.0.0.1 parent 443 0 tls originserver \
>>        name=MySecureOrigin \
>>        no-query no-digest
>>    cache_peer_access MySecureOrigin allow all
>>    always_direct deny all
>>    never_direct allow all
>>    nonhierarchical_direct off
> 
> Afaik this means that it is not possible with any remote server, because 
> all servers you want to access this way must be explicitly set up in 
> squid.conf, correct?

I assumed (possibly incorrectly) that Juergen was asking about a single 
"true origin server" (e.g., example.com). The above example was written 
with a single "true origin server" in mind. However, exactly the same 
Squid configuration may work to forward traffic to a reverse proxy 
(running at 127.0.0.1 on port 443) that "represents" multiple/different 
"true origin servers".

That reverse proxy will need to shovel TLS bytes received from Squid to 
the right "true origin server", but I am guessing that it can do that 
based on TLS SNI supplied by Squid. Some Squid code modifications may be 
necessary to make this work correctly with persistent Squid-to-peer 
connections and such, but nothing major AFAICT (and they can be turned 
off using server_persistent_connections if they are in the way).

AFAICT, with either SslBump or some Squid code modifications, that 
reverse proxy can be a Squid proxy. With even more Squid enhancements, 
that reverse proxy can also become an https_port on the same Squid proxy 
instance where the http_port receives plain HTTP requests!

Does this answer your question?

Alex.

More information about the squid-users mailing list