> > Bugs notwithstanding, none of the configuration > sketches I shared previously will do that though.
Do you have any recommendations on how I could have it done? When my tls client tries to reach the target through Squid, using a "ssl_bump splice", it seems like squid is trying to reach itself in a loop. I have also tried including a peek first, but no luck. Thanks again for all suggestions. On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2023-09-28 15:23, Fernando Giorgetti wrote: > > > Actually with the suggested blind passthrough, Squid would not handle > > the TLS termination. > > Correct. > > > > how will Squid know what the target is? > > In many cases, Squid can learn SNI by peeking at TLS ClientHello, > without terminating TLS. Bugs notwithstanding, none of the configuration > sketches I shared previously will do that though. > > > HTH, > > Alex. > > > > > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote: > > > > On 2023-09-28 11:31, Fernando Giorgetti wrote: > > > > > And what should I do to let Squid use the SNI defined by the TLS > > client? > > > > What do you want Squid to use that SNI for? > > > > Alex. > > > > > > > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote: > > > > > > On 2023-09-28 09:06, Fernando Giorgetti wrote: > > > > Hi Matus, do you mean something like a DNAT (iptables) > rule? > > > > If so, I would say, it should work as well. > > > > > > > > But this is an environment I do not control, and I have > > been told > > > to try > > > > using an existing squid installation to proxy non-http/TLS > > data > > > through. > > > > > > > > I appreciate any guidance or recommendation. > > > > > > > > > Bugs notwithstanding, Squid can blindly tunnel intercepted > > (at TCP port > > > X) TCP traffic to its intended destination: > > > > > > https_port X intercept ssl-bump ... > > > ssl_bump splice all > > > > > > > > > Without interception, then Squid can only tunnel stuff inside > > HTTP > > > CONNECT tunnels (for HTTP CONNECT requests received at TCP > > port Y): > > > > > > http_port Y ssl-bump ... > > > ssl_bump splice all > > > > > > > > > In both cases, Squid does not care about the protocols that > > tunneled > > > traffic is using. It could be HTTP, HTTPS, TLS, or anything > > else on top > > > of TCP. > > > > > > Your ACLs may differ from "all" in the above sketches, of > course, > > > but if > > > traffic is not TLS, then you want an "ssl_bump splice" rule > that > > > matches > > > during SslBump step1. A rule with an "all" ACLs is the > > simplest example > > > of that. > > > > > > > > > HTH, > > > > > > Alex. > > > P.S. I am getting an "Internal Server Error" when following > > the haproxy > > > link in the original question, so I cannot map what that page > > says to > > > the configurations above. > > > > > > > > > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas > wrote: > > > > > > > > On 27.09.23 16:48, Fernando Giorgetti wrote: > > > > >I would like to know if it is possible to set up > > Squid to > > > perform > > > > >TLS passthrough to a given backend, relaying TLS > > encrypted > > > > >traffic to the backend, similarly to what HAProxy > > does below? > > > > > > > > > > > > > > > > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough>> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > >>> > > > > > > > > > >I have tried a few different configurations using > > reverse > > > proxy, > > > > >or peek and splice, but I could not make it work > without > > > providing > > > > >a valid HTTP request or a CONNECT request. > > > > > > > > what's the difference between TCP redirect and this? > > > > > > > > -- > > > > Matus UHLAR - fantomas, uh...@fantomas.sk > > <mailto:uh...@fantomas.sk> > > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk>> > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk> > > > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk>>> > > > > ; http://www.fantomas.sk/ <http://www.fantomas.sk/> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>> > > > <http://www.fantomas.sk/ <http://www.fantomas.sk/> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>>> > > > > Warning: I wish NOT to receive e-mail advertising to > this > > > address. > > > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek > > reklamnu > > > postu. > > > > Depression is merely anger without enthusiasm. > > > > _______________________________________________ > > > > squid-users mailing list > > > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org>> > > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org>>> > > > > https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users> > > > <https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users>> > > > > <https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users> > > > <https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users>>> > > > > > > > > > > > > _______________________________________________ > > > > squid-users mailing list > > > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org>> > > > > https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users> > > > <https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users>> > > > > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org>> > > > https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users> > > > <https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users>> > > > > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
