Best way to reverse proxy ssl traffic (as distinct from https traffic)

  • Hi. I'd be grateful for a pointer as to whether the below is possible please.

    I have an aging resource that needs to be accessed from the Internet but only supports the older (vulnerable) TLS standards.

    Yes, I could replace it, but in the interim I'd like to use a reverse proxy (eg squid) to proxy the traffic and repackage it into TLS 1.2 etc.

    I know squid can reverse proxy https (though I'm having trouble setting it up...) but can it also proxy pure ssl traffic?

    The resource does use https, but there are also other circumstances where it is operating using ssl (but not with https as the underlying payload).

    So in other words I want squid to receive the TLS 1.2 ssl traffic and without caring what it is, repackage it into TLS 1.1 for internal comms with the resource, and vice versa for outbound traffic.

    Is that possible please?

  • I think I've got it to go. It's not actually Squid I needed. It's HAProxy.

    It's now transparently encrypting in TLS1.2 when I try to access the resource.

  • LAYER 8 Global Moderator

    Yeah haproxy would be better choice for sure. And with 2.5 and the update to openssl 1.1.1 you should be able to update to tls 1.3 even.

Log in to reply