On 2026-01-27 06:46, Anthony Pankov wrote:
I'm wandering is it possible and what the logic will be if configure
squid for ssl bumping and to always go to cache_peer (never direct)
at the same time?
Squid does not support "TLS inside TLS" yet, resulting in the following
three possible use cases/answers:
Bugs notwithstanding, bumping client traffic while talking to a cache_peer
* ... should be possible if that cache_peer listens for plain text HTTP
connections (e.g., cache_peer is a Squid instance listening on an
http_port). Just configure Squid to always go to that cache_peer (see
never_direct directive documentation). When forwarding bumped traffic,
Squid will send a plain text CONNECT request to that cache_peer (and
forward TLS traffic inside that CONNECT tunnel).
* ... may also be possible if that cache_peer is an originserver peer
that listens for TLS connections (e.g., cache_peer is a Squid instance
listening on an https_port in "accel" mode). I am not sure whether Squid
has enough code to handle this configuration. Same never_direct
configuration approach would apply here. When forwarding bumped traffic,
Squid will open a TLS connection to that cache_peer.
* ... is not possible if that cache_peer is a proxy that listens for TLS
connections (e.g., cache_peer is a Squid instance listening on an
https_port in the default forward proxy mode).
HTH,
Alex.
P.S. "Peering support for SslBump" functionality was added in Squid v5,
but you should use Squid v7+.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
