Forward HTTPS Traffic to a proxy server

Question

I have a smart-dns setup, Using dnsmasq as the dns server, which always resolves to my server ip address, for a given list of domains.

I want to configure either a webserver or proxy program to listen on port 80 and 443 on my server . Which then forwards all the web requests, to an external proxy server (squid) as proxy requests.

Would it be possible to do this, using programs like (nginx, harproxy, squid..etc), for both http and https traffic, without ssl termination on the server.

So far, none of the configs i have tested worked, Haproxy config.

frontend https_front
  bind *:443
  mode tcp
  default_backend squid_backend_https
backend squid_backend_https
  mode tcp
  server squid_proxy 111.22.32.11:3323

Nginx config,

stream {
   upstream ssl_backend {
   server  111.22.32.11:3323;
}
server {
   listen 443;
   proxy_protocol on;
   tcp_nodelay on;
   proxy_pass ssl_backend;
   ssl_preread on;
   proxy_ssl_protocols TLSV1 TLSv1.2 TLSv1.3;
   proxy_ssl_ciphers 'HIGH:!aNULL:!MD5';
   proxy_ssl on;
   proxy_ssl_server_name on;
   #proxy_next_upstream on;
   proxy_ssl_verify off;
  }
  }

I presume, that the backend program listening on 80 and 443, Should effectively, forward the http/https web request, as a proxy request to the external proxy server (squid).

Firstly, is this theoretically possible to achieve this, using just haproxy, squid, nginx, or any similar program.

Any help, on how to achieve this would be greatly appreciated. Thanks

Update 1

The external proxy server is needed to access the required websites. If i add the proxy ip:port manually on the browser, it works fine.

But i have some limitation on some applications, where the proxy cant be added. To bypass that issue, am testing out a setup where, the requests for those specific domains, the dns resolves, to my reverse proxy, which then needs to serve the requests through the external proxy server.

The dns part is working fine. It resolves to my reverse proxy ip, for the requried domains. Am stuck trying to configure the reverse proxy (not just nginx, open to any other program), to serve the requests through the external proxy .

The reverse proxy, does not have access to ssl certs for the domains. The ssl termination, is done after the request is forwarded to the external proxy server .

Update 2

Do not have the option to provision certificates for those domains, on the reverse proxy.

One way i could think of is configuring the reverse proxy to redirect the https traffic, along with SNI, to the external proxy, without terminating the ssl on the server.

The only machine, i can make any meaningful changes is on the reverse proxy server. The server is running Ubuntu 22.04.

The only change that can be made on the client machines is the dns server IP (dnsmasq server )

Do not have provision to make any changes to the external proxy (squid) .

The external proxy accepts only http-relay, Connect proxy connections.

Hope this makes the question bit more clear.

Does this answer your question? How to set up Nginx as a caching reverse proxy?and moreover, squid is slower as nginx iirc, and nginx could do the same without squid — djdomi, Jan 18 '24 at 05:57
Why do you want to proxy to squid? Keep it simple and don't reverse proxy to squid. First get your squid working, small steps make big footprints — Turdie, Jan 18 '24 at 06:15
@Turdie Squid was just given as an example. I want the program , which is running on 80 and 443 as http/https ingress , to forward the web request to a proxy server (which is already configured and working for both http and https) — loxtic, Jan 18 '24 at 07:29
@djdomi Sorry, that is not what i am looking for, maybe my question was not clear enough. I want to configure a program to accept web requests on 80/443. And then forward the web requests as proxy requests to an external proxy server. It should happen, irrespective of which website, was requested. The external proxy is already configured and working as intended. Need to configure the program, which runs on port 80 and 443, for http/https web requests. — loxtic, Jan 18 '24 at 07:32
That's what a reverse-proxy does: it gets the request and sends it to another destination. Since the other Proxy simple waits for http requests, it will do your job. I'm not sure why you shouldn't use the advanced nginx caching features, I think you should update your question to get us more information about what you want to solve. It may be like a x-and-y-problem where x is what you want, but y is what you have now. ;-) — djdomi, Jan 18 '24 at 07:42
There are several ways this MIGHT be achieved - but from your question I think your going to need a lot of explanation. If you told us whether you can provision a certificate for the site in question, what OS the client is running on, whether you control the squid configuration, whether this is your own environment or a work one then we might have a chance at anwering this sensibly. Alternatively if you told us what the problem software is and what OS its running on then we might be able to provide a less complicated solution. — symcbean, Jan 18 '24 at 10:30
@symcbean Updated the question, with further clarifications. — loxtic, Jan 18 '24 at 14:20
please let us know what exactly you want, it start sounds to me more like a MITM attack for now. Moreover the start of the Question is similar like X-And-Y Problem IMHO. — djdomi, Jan 19 '24 at 07:27

score 1 · Answer 1 · answered Jan 18 '24 at 14:39

Based on Update 2, the only viable solution is to implement an additional proxy between the client and the existing proxy to prefix the stream from the client side with "CONNECT hostname".

Corkscrew (more traditionally used for tunnelling ssh connections via a web proxy) can do that but only talks to stdin/stdout and executes as a single thread. But running this via xinetd solves these constraints.

Then you just have the issue of routing the traffic to the corkscrew host. That could be done in iptables or by DNS.

Turdie · Answer 2 · 2024-01-18T07:46:51.567

With HAProxy this should work

   global
        log /dev/log local0
        log /dev/log local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

defaults
    log global
    mode http
    option httplog
    option dontlognull
    timeout connect 5000
    timeout client 50000
    timeout server 50000

frontend http-in
    bind *:80
    default_backend your_backend

frontend https-in
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 # Specify path to your SSL certificates
    default_backend your_backend

backend your_backend
    server backend-server1 192.168.1.10:80  # Replace with the IP and port of your backend server

Nginx To be able to proxy https traffic both sides need an ssl certificate.

server {
    listen 80;
    server_name yourdomain.com;
location / {
    proxy_pass http://your_backend_server;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}
server {
    listen 443 ssl;
    server_name yourdomain.com;
ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;

location / {
    proxy_pass https://your_backend_server;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

Add this vhost to /etc/nginx/sites-available and create a symlink to sites-enabled and reload nginx

but he is already using nginx, why should he implement another reverse-proxy? — djdomi, Jan 18 '24 at 07:37
Thanks for the config, will test this, I do not have the ssl certs, for the domains. And the ssl termination would happen on the external proxy server. Just need to forward all requests to the external proxy. WIll update the question, with the same information. . — loxtic, Jan 18 '24 at 07:38
@djdomi Nginx, would be acting as reverse proxy. The IP of the nginx, is provided by the dns server. Once the request reaches, nginx. It needs to be processed through an external proxy server. (this proxy is required to access the website). — loxtic, Jan 18 '24 at 07:43
in Addition what Turdie posted based on my Information. You can also use an invalid certificate for gninx reverse proxy, as by default it does not check if its a good or bad one. — djdomi, Jan 18 '24 at 15:26

Forward HTTPS Traffic to a proxy server

2 Answers2