On 2024-07-04 12:36, Alex Rousskov wrote:
On 2024-07-04 10:58, Matus UHLAR - fantomas wrote:
On 2024-07-04 09:20, Wagner, Juergen03 wrote:
we are evaluating Squid to be used as a http to https forward proxy.
So Squid would need to support the following setup:
http (client) ----> Squid ---> https ( server )
Could someone please confirm if the given setup is in principle
possible with Squid?
If yes, which configuration needs to be done?
On 04.07.24 10:36, Alex Rousskov wrote:
Yes, Squid should be able to forward plain text HTTP requests to a
secure server. Use cache_peer directive with "tls" and "originserver"
flags. Here is an untested sketch:
# routing all traffic to one HTTPS origin server
cache_peer 127.0.0.1 parent 443 0 tls originserver \
name=MySecureOrigin \
no-query no-digest
cache_peer_access MySecureOrigin allow all
always_direct deny all
never_direct allow all
nonhierarchical_direct off
Afaik this means that it is not possible with any remote server,
because all servers you want to access this way must be explicitly set
up in squid.conf, correct?
I assumed (possibly incorrectly) that Juergen was asking about a single
"true origin server" (e.g., example.com). The above example was written
with a single "true origin server" in mind. However, exactly the same
Squid configuration may work to forward traffic to a reverse proxy
(running at 127.0.0.1 on port 443) that "represents" multiple/different
"true origin servers".
That reverse proxy will need to shovel TLS bytes received from Squid to
the right "true origin server", but I am guessing that it can do that
based on TLS SNI supplied by Squid. Some Squid code modifications may be
necessary to make this work correctly with persistent Squid-to-peer
connections and such, but nothing major AFAICT (and they can be turned
off using server_persistent_connections if they are in the way).
AFAICT, with either SslBump or some Squid code modifications, that
reverse proxy can be a Squid proxy. With even more Squid enhancements,
that reverse proxy can also become an https_port on the same Squid proxy
instance where the http_port receives plain HTTP requests!
At some point, depending on the use case, it will be easier to enhance
Squid to encrypt plain HTTP requests without using this TLS cache_peer
hack, of course.
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users