With squid, it apparently seems impossible to just pass through SSL traffic to the HTTPS servers without breaking privacy. The same seems to be valid for some other "proxies" like nginx when being used as reverse proxy. So my solution to the problem was to discard squid and switch to haproxy. Maybe I am not the only one who wants a proxy which can _actually_ do SNI, i.e. use the clear-text domain name to just pass through to the appropriate server, _without_ having to intercept and encrypt the data. I think my very simple haproxy.conf is quite self-explanatory, so I attach it in the following to possibly help others who have similar needs: global maxconn 2000 user haproxy group haproxy defaults timeout client 30s timeout server 30s timeout connect 10s frontend ft_http bind 10.0.0.10:80 mode http acl http_sitewithssl_de hdr(host) -i sitewithssl.de acl http_sitewithssl_de_www hdr(host) -i www.sitewithssl.de acl http_anothersitewithoutssl_de hdr(host) -i anothersitewithoutssl.de acl http_anothersitewithoutssl_de_www hdr(host) -i www.anothersitewithoutssl.de use_backend backend_sitewithssl_de_http if http_sitewithssl_de use_backend backend_sitewithssl_de_http if http_sitewithssl_de_www use_backend backend_anothersitewithoutssl_de_http if http_anothersitewithoutssl_de use_backend backend_anothersitewithoutssl_de_http if http_anothersitewithoutssl_de_www frontend ft_https bind 10.0.0.10:443 mode tcp acl https_sitewithssl_de req_ssl_sni -i sitewithssl.de acl https_sitewithssl_de_www req_ssl_sni -i www.sitewithssl.de use_backend backend_sitewithssl_de_https if https_sitewithssl_de use_backend backend_sitewithssl_de_https if https_sitewithssl_de_www backend backend_anothersitewithoutssl_de_http mode http server server_anothersitewithoutssl_de_http 10.0.0.8:80 backend backend_sitewithssl_de_http mode http server server_sitewithssl_de_http 10.0.0.9:80 backend backend_sitewithssl_de_https mode tcp server server_sitewithssl_de_https 10.0.0.9:443 On 5/4/17, Stefan Blachmann <sblachmann@xxxxxxxxx> wrote: > I am using squid 3.5.23 for no-caching reverse proxying http to > backend web servers. > I want to do the same with https. > > If I try to make cache_peer, acl, http_access and cache_peer_access > for port 443 in addition to port 80, the connection attempt fails with > browser complaining about error code: SSL_ERROR_RX_RECORD_TOO_LONG. In > squid access log then there is a complaint about "invalid request". > > Is there a way to configure squid to just pass through https traffic > to https backends? Just like it does with http? > That is, _without_ needing to give squid access to the certificates and > keys? > > (I ask because all instructions I found in the web are > privacy-breaking decrypting Mitm interception instructions. And I do > _not_ want to do it this way!) > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
