Transparent http/https proxy.

[Pepo T.]

Hi! I'm trying to replace a squid cache proxy with envoy. Actually I don't need the caching features of a proxy.

I'm not an expert in envoy, have little experience with it and a bit confused with its configuration.

The main requirement of my setup is that envoy must do the TLS termination and start a new one with the destination domain. It's a requirement because some of the requested domains are being blocked by Cloudflare WAF. The thing is that they are fringerprinting the TLS and blocking everything that is not coming from a real browser. My tests with a curl compiled with BoringSSL bypasses that fingerprinting, so consequently I think that envoy will also do it as it uses BoringSSL.

I've tried a modified version of this config: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/dynamic_forward_proxy_filter, without the rewrite part.

Issuing the following command:

curl -A "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" -x "http://localhost:10001" https://google.com

fails with a 404 due to the fact that it doesn't contains a CONNECT match:

curl: (56) Received HTTP code 404 from proxy after CONNECT

If I add a CONNECT matcher (transparent_proxy_connect.yml) and try to do a request to google.com:

curl -A "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" -x "http://localhost:10001" https://google.com

Gives the following error:

curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

Trying to connect to wikipedia.com it throws a different one:

curl: (56) Received HTTP code 503 from proxy after CONNECT

I'm kinda confused and stuck with this scenario and I'll really appreciate any help on this concern.

Thanks in advance for your support.

Best Regards, Pepe.

[Pepo T.]

I miss the attachments from the previous messages, sorry, here they are.