Hello,
I would like to know if it is possible to set up Squid to perform
TLS passthrough to a given backend, relaying TLS encrypted
traffic to the backend, similarly to what HAProxy does below?
https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough
On 27.09.23 16:48, Fernando Giorgetti wrote:
I would like to know if it is possible to set up Squid to perform
TLS passthrough to a given backend, relaying TLS encrypted
traffic to the backend, similarly to what HAProxy does below?
https://www.haproxy.com/documentation/aloha/latest/security/tls/
Hi Matus, do you mean something like a DNAT (iptables) rule?
If so, I would say, it should work as well.
But this is an environment I do not control, and I have been told to try
using an existing squid installation to proxy non-http/TLS data through.
I appreciate any guidance or recommendation.
On 28.09.23 10:06, Fernando Giorgetti wrote:
Hi Matus, do you mean something like a DNAT (iptables) rule?
that was my question.
If so, I would say, it should work as well.
If you want simply redirect incoming connections to another IP/port, port
redirector should work just like DNAT.
Bu
On 2023-09-28 09:06, Fernando Giorgetti wrote:
Hi Matus, do you mean something like a DNAT (iptables) rule?
If so, I would say, it should work as well.
But this is an environment I do not control, and I have been told to try
using an existing squid installation to proxy non-http/TLS data through
Hello Alex, thanks for your reply.
And what should I do to let Squid use the SNI defined by the TLS client?
Thanks again,
Fernando
On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 2023-09-28 09:06, Fernando Giorgetti wrote:
> > Hi Matus, do you mean
On 2023-09-28 11:31, Fernando Giorgetti wrote:
And what should I do to let Squid use the SNI defined by the TLS client?
What do you want Squid to use that SNI for?
Alex.
On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
On 2023-09-28 09:06, Fernando Giorgetti wrote:
> Hi Matu
Actually with the suggested blind passthrough, Squid would not handle the
TLS termination.
So without a reverse proxy (accel mode), how will Squid know what the
target is?
On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 2023-09-28 11:31, Fernando Gior
On 2023-09-28 15:23, Fernando Giorgetti wrote:
Actually with the suggested blind passthrough, Squid would not handle
the TLS termination.
Correct.
how will Squid know what the target is?
In many cases, Squid can learn SNI by peeking at TLS ClientHello,
without terminating TLS. Bugs notwi
>
> Bugs notwithstanding, none of the configuration
> sketches I shared previously will do that though.
Do you have any recommendations on how I could have it done?
When my tls client tries to reach the target through Squid, using
a "ssl_bump splice", it seems like squid is trying to reach itself
On 2023-09-28 20:35, Fernando Giorgetti wrote:
Do you have any recommendations on how I could have it done?
I am unable to confirm whether Squid can do what you want or provide
configuration recommendations because I do not yet know how your Squid
will receive traffic (e.g., an intercepting
Hello Alex,
First of all, thanks for your attention and time.
Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS
data, as we have a restricted environment where Squid is currently the
only way to get out to the internet.
The idea is that the client application will open a connec
On 2023-09-29 09:17, Fernando Giorgetti wrote:
Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS
data, as we have a restricted environment where Squid is currently the
only way to get out to the internet.
Yes, Squid can tunnel non-HTTP data, including TLS data.
The idea is
>
> Do you control the client application? If yes, then perhaps it can be
> adjusted to support HTTP proxies? In other words, the client will send a
> plain text HTTP CONNECT request to Squid and, upon receiving a 200
> (Connection Established) response headers, will start using TLS with the
> orig
On 2023-09-29 10:55, Fernando Giorgetti wrote:
Do you control the client application? If yes, then perhaps it can be
adjusted to support HTTP proxies? In other words, the client will send a
plain text HTTP CONNECT request to Squid and, upon receiving a 200
(Connection Established)
Alex,
Sorry for my misconceptions in my previous email.
The "intercept" scenario demonstrated here
https://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource
makes sense to me, as we are just redirecting internal traffic into Squid,
so the original destination IP is preserved.
I was able to
On 2023-09-29 13:55, Fernando Giorgetti wrote:
The "intercept" scenario demonstrated here
https://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource
makes sense to me, as we are just redirecting internal traffic into Squid,
so the original destination IP is preserved.
I was able to make
If someone has already done that, with the client running in a different
machine, I would love to know how.
In case Squid runs on the same machine used as a network gateway to the
client machine, I suppose the config would be similar, but if it's not
running on the same machine used as the gateway
Subject: Re: [squid-users] TLS passthrough
If someone has already done that, with the client running in a different
machine, I would love to know how.
In case Squid runs on the same machine used as a network gateway to the client
machine, I suppose the config would be similar, but if it's not ru
On 30/09/23 11:06, Fernando Giorgetti wrote:
If someone has already done that, with the client running in a different
machine, I would love to know how.
There are several ways;
1) run Squid on the gateway router for your network, or
2) place Squid in a DMZ between the LAN gateway and WAN g
Thank you Amos and Rafael,
Using the LinuxDnat approach worked great as well.
On Sat, Sep 30, 2023 at 5:18 AM Amos Jeffries wrote:
> On 30/09/23 11:06, Fernando Giorgetti wrote:
> > If someone has already done that, with the client running in a different
> > machine, I would love to know how.
>
21 matches
Mail list logo
