Search squid archive

Re: Squid as http to https forward proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-07-04 12:36, Alex Rousskov wrote:
On 2024-07-04 10:58, Matus UHLAR - fantomas wrote:
On 2024-07-04 09:20, Wagner, Juergen03 wrote:
we are evaluating Squid to be used as a http to https forward proxy.

So Squid would need to support the following setup:

    http (client)    ---->   Squid  --->  https ( server )

Could someone please confirm if the given setup is in principle possible with Squid?

If yes, which configuration needs to be done?

On 04.07.24 10:36, Alex Rousskov wrote:
   Yes, Squid should be able to forward plain text HTTP requests to a secure server. Use cache_peer directive with "tls" and "originserver" flags. Here is an untested sketch:

   # routing all traffic to one HTTPS origin server
   cache_peer 127.0.0.1 parent 443 0 tls originserver \
       name=MySecureOrigin \
       no-query no-digest
   cache_peer_access MySecureOrigin allow all
   always_direct deny all
   never_direct allow all
   nonhierarchical_direct off

Afaik this means that it is not possible with any remote server, because all servers you want to access this way must be explicitly set up in squid.conf, correct?

I assumed (possibly incorrectly) that Juergen was asking about a single "true origin server" (e.g., example.com). The above example was written with a single "true origin server" in mind. However, exactly the same Squid configuration may work to forward traffic to a reverse proxy (running at 127.0.0.1 on port 443) that "represents" multiple/different "true origin servers".

That reverse proxy will need to shovel TLS bytes received from Squid to the right "true origin server", but I am guessing that it can do that based on TLS SNI supplied by Squid. Some Squid code modifications may be necessary to make this work correctly with persistent Squid-to-peer connections and such, but nothing major AFAICT (and they can be turned off using server_persistent_connections if they are in the way).

AFAICT, with either SslBump or some Squid code modifications, that reverse proxy can be a Squid proxy. With even more Squid enhancements, that reverse proxy can also become an https_port on the same Squid proxy instance where the http_port receives plain HTTP requests!

At some point, depending on the use case, it will be easier to enhance Squid to encrypt plain HTTP requests without using this TLS cache_peer hack, of course.

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux