Hello Alex, First of all, thanks for your attention and time.
Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS data, as we have a restricted environment where Squid is currently the only way to get out to the internet. The idea is that the client application will open a connection to a given hostname and port (setting the SNI in the TLS options), considering that the given hostname/port is the actual backend they're trying to reach. We can either try to use a fake hostname (defined in the /etc/hosts of the tls client machine) which would actually point to Squid's IP or eventually redirect traffic to the real destination into Squid using a DNAT rule. But overall, it will be a 1:1 relationship, meaning, the https_port on Squid would be used exclusively to this purpose of proxying from a given source to a given destination. That is why I was considering a reverse-proxy, but I had no luck with it (actually I was able to proxy HTTP/HTTPS, but not non-http). Thank you again, Fernando On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2023-09-28 20:35, Fernando Giorgetti wrote: > > > Do you have any recommendations on how I could have it done? > > I am unable to confirm whether Squid can do what you want or provide > configuration recommendations because I do not yet know how your Squid > will receive traffic (e.g., an intercepting proxy or an explicit forward > HTTP proxy), what traffic Squid will receive (e.g., TLS, plain HTTP, > something else), and what you want Squid to do with that traffic. > > To make progress, I recommend describing the above details (for one > typical use case?) and then answering any followup questions. > > > Cheers, > > Alex. > > > > When my tls client tries to reach the target through Squid, using > > a "ssl_bump splice", it seems like squid is trying to reach itself in a > > loop. > > > > I have also tried including a peek first, but no luck. > > > > Thanks again for all suggestions. > > > > On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov wrote: > > > > On 2023-09-28 15:23, Fernando Giorgetti wrote: > > > > > Actually with the suggested blind passthrough, Squid would not > > handle > > > the TLS termination. > > > > Correct. > > > > > > > how will Squid know what the target is? > > > > In many cases, Squid can learn SNI by peeking at TLS ClientHello, > > without terminating TLS. Bugs notwithstanding, none of the > > configuration > > sketches I shared previously will do that though. > > > > > > HTH, > > > > Alex. > > > > > > > > > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote: > > > > > > On 2023-09-28 11:31, Fernando Giorgetti wrote: > > > > > > > And what should I do to let Squid use the SNI defined by > > the TLS > > > client? > > > > > > What do you want Squid to use that SNI for? > > > > > > Alex. > > > > > > > > > > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote: > > > > > > > > On 2023-09-28 09:06, Fernando Giorgetti wrote: > > > > > Hi Matus, do you mean something like a DNAT > > (iptables) rule? > > > > > If so, I would say, it should work as well. > > > > > > > > > > But this is an environment I do not control, and I > have > > > been told > > > > to try > > > > > using an existing squid installation to proxy > > non-http/TLS > > > data > > > > through. > > > > > > > > > > I appreciate any guidance or recommendation. > > > > > > > > > > > > Bugs notwithstanding, Squid can blindly tunnel > intercepted > > > (at TCP port > > > > X) TCP traffic to its intended destination: > > > > > > > > https_port X intercept ssl-bump ... > > > > ssl_bump splice all > > > > > > > > > > > > Without interception, then Squid can only tunnel stuff > > inside > > > HTTP > > > > CONNECT tunnels (for HTTP CONNECT requests received at > TCP > > > port Y): > > > > > > > > http_port Y ssl-bump ... > > > > ssl_bump splice all > > > > > > > > > > > > In both cases, Squid does not care about the protocols > > that > > > tunneled > > > > traffic is using. It could be HTTP, HTTPS, TLS, or > > anything > > > else on top > > > > of TCP. > > > > > > > > Your ACLs may differ from "all" in the above sketches, > > of course, > > > > but if > > > > traffic is not TLS, then you want an "ssl_bump splice" > > rule that > > > > matches > > > > during SslBump step1. A rule with an "all" ACLs is the > > > simplest example > > > > of that. > > > > > > > > > > > > HTH, > > > > > > > > Alex. > > > > P.S. I am getting an "Internal Server Error" when > > following > > > the haproxy > > > > link in the original question, so I cannot map what > > that page > > > says to > > > > the configurations above. > > > > > > > > > > > > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - > > fantomas wrote: > > > > > > > > > > On 27.09.23 16:48, Fernando Giorgetti wrote: > > > > > >I would like to know if it is possible to set > up > > > Squid to > > > > perform > > > > > >TLS passthrough to a given backend, relaying > TLS > > > encrypted > > > > > >traffic to the backend, similarly to what > HAProxy > > > does below? > > > > > > > > > > > > > > > > > > > > > > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>>> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > >>>> > > > > > > > > > > > >I have tried a few different configurations > using > > > reverse > > > > proxy, > > > > > >or peek and splice, but I could not make it > > work without > > > > providing > > > > > >a valid HTTP request or a CONNECT request. > > > > > > > > > > what's the difference between TCP redirect and > > this? > > > > > > > > > > -- > > > > > Matus UHLAR - fantomas, uh...@fantomas.sk > > <mailto:uh...@fantomas.sk> > > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk>> > > > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk> > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk>>> > > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk> > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk>> > > > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk> > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk>>>> > > > > > ; http://www.fantomas.sk/ > > <http://www.fantomas.sk/> <http://www.fantomas.sk/ > > <http://www.fantomas.sk/>> > > > <http://www.fantomas.sk/ <http://www.fantomas.sk/> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>>> > > > > <http://www.fantomas.sk/ <http://www.fantomas.sk/> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>> > > > <http://www.fantomas.sk/ <http://www.fantomas.sk/> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>>>> > > > > > Warning: I wish NOT to receive e-mail > > advertising to this > > > > address. > > > > > Varovanie: na tuto adresu chcem NEDOSTAVAT > > akukolvek > > > reklamnu > > > > postu. > > > > > Depression is merely anger without enthusiasm. > > > > > _______________________________________________ > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
