[squid-users] Squid as http to https forward proxy

Alex Rousskov rousskov at measurement-factory.com
Thu Jul 4 16:43:27 UTC 2024 

On 2024-07-04 12:36, Alex Rousskov wrote:
> On 2024-07-04 10:58, Matus UHLAR - fantomas wrote:
>>> On 2024-07-04 09:20, Wagner, Juergen03 wrote:
>>>> we are evaluating Squid to be used as a http to https forward proxy.
>>>>
>>>> So Squid would need to support the following setup:
>>>>
>>>>     http (client)    ---->   Squid  --->  https ( server )
>>>>
>>>> Could someone please confirm if the given setup is in principle 
>>>> possible with Squid?
>>>>
>>>> If yes, which configuration needs to be done?
>>
>> On 04.07.24 10:36, Alex Rousskov wrote:
>>>    Yes, Squid should be able to forward plain text HTTP requests to a 
>>> secure server. Use cache_peer directive with "tls" and "originserver" 
>>> flags. Here is an untested sketch:
>>>
>>>    # routing all traffic to one HTTPS origin server
>>>    cache_peer 127.0.0.1 parent 443 0 tls originserver \
>>>        name=MySecureOrigin \
>>>        no-query no-digest
>>>    cache_peer_access MySecureOrigin allow all
>>>    always_direct deny all
>>>    never_direct allow all
>>>    nonhierarchical_direct off
>>
>> Afaik this means that it is not possible with any remote server, 
>> because all servers you want to access this way must be explicitly set 
>> up in squid.conf, correct?
> 
> I assumed (possibly incorrectly) that Juergen was asking about a single 
> "true origin server" (e.g., example.com). The above example was written 
> with a single "true origin server" in mind. However, exactly the same 
> Squid configuration may work to forward traffic to a reverse proxy 
> (running at 127.0.0.1 on port 443) that "represents" multiple/different 
> "true origin servers".
> 
> That reverse proxy will need to shovel TLS bytes received from Squid to 
> the right "true origin server", but I am guessing that it can do that 
> based on TLS SNI supplied by Squid. Some Squid code modifications may be 
> necessary to make this work correctly with persistent Squid-to-peer 
> connections and such, but nothing major AFAICT (and they can be turned 
> off using server_persistent_connections if they are in the way).
> 
> AFAICT, with either SslBump or some Squid code modifications, that 
> reverse proxy can be a Squid proxy. With even more Squid enhancements, 
> that reverse proxy can also become an https_port on the same Squid proxy 
> instance where the http_port receives plain HTTP requests!

At some point, depending on the use case, it will be easier to enhance 
Squid to encrypt plain HTTP requests without using this TLS cache_peer 
hack, of course.

Alex.

More information about the squid-users mailing list