On 2026-03-04 11:03, Anthony Pankov wrote:
I still want to modify squid in such a way that it can forward
clients http traffic to a parent cache in plain form. I mean after
bumping ssl (forntend-squid establish tls connection with a client)
requests from client should goes to parent cache as a plain http (
GET etc.)
Let's split this problem into two parts:
Part 1: Bumping the client.
Do you want your Squid to bump the TLS client connection without talking
to the TLS origin server? Bugs notwithstanding, that should already be
possible using unsupported "ssl_bump client-first all" or, after
defining step1,
ssl_bump stare step1
ssl_bump bump all
Or does the client need to see something from the TLS origin server
certificate to work correctly? In that case, you have to use something
like "ssl_bump stare all" but it will complicate Part 2 changes.
Part 2: Forwarding bumped GET requests to cache_peers "as is", without a
second layer of encryption.
This part depends on Part 1. Let's come back to this after Part 1 is
working.
HTH,
Alex.
Connection between squids servers is already encrypted so I don't need any
additional tls(security) layer.
Also, for simplification, I assume never_direct directive for this traffic on a
front-end.
I understand that it will preclude any checks for origin server certificate but
this is not a problem because policy for origin may be applied in a parent
cache.
I tried to modify FwdState::noteConnection to avoid establishTunnelThruProxy()
and FwdState::secureConnectionToPeerIfNeeded to avoid secureConnectionToPeer()
but has no lack.
They use request.flags sslBumped and sslPeek that I do not fully understand. sslPeek
described as "internal ssl-bump request to get server cert" but it always True
when I'm in noteConnection.
Also I noted async SslBumpEstablish which call switchToHttps. Because of asyncs I can't
fully understand where I can preclude switching connections to parent cache to
"CONNECT" mode rather than using it plain.
Any help would be appreciated.
_______________________________________________
squid-dev mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-dev
