Hello Alex,
Tuesday, January 27, 2026, 4:58:34 PM, you wrote: > On 2026-01-27 06:46, Anthony Pankov wrote: >> I'm wandering is it possible and what the logic will be if configure >> squid for ssl bumping and to always go to cache_peer (never direct) >> at the same time? > Squid does not support "TLS inside TLS" yet, resulting in the following three > possible use cases/answers: > Bugs notwithstanding, bumping client traffic while talking to a cache_peer > * ... should be possible if that cache_peer listens for plain text HTTP > connections (e.g., cache_peer is a Squid instance listening on an http_port). > Just configure Squid to always go to that cache_peer (see never_direct > directive documentation). When forwarding bumped traffic, Squid will send a > plain text CONNECT request to that cache_peer (and forward TLS traffic inside > that CONNECT tunnel). I'm mostly interesting about SSLBump steps. Its include "Get TLS Server Hello info from the server, including the server certificate" [https://wiki.squid-cache.org/Features/SslPeekAndSplice]. Does squid will go to origin server in a Bump step for "Server hello" despite the never_direct configuration? > * ... may also be possible if that cache_peer is an originserver peer that > listens for TLS connections (e.g., cache_peer is a Squid instance listening > on an https_port in "accel" mode). I am not sure whether Squid has enough > code to handle this configuration. Same never_direct configuration approach > would apply here. When forwarding bumped traffic, Squid will open a TLS > connection to that cache_peer. > * ... is not possible if that cache_peer is a proxy that listens for TLS > connections (e.g., cache_peer is a Squid instance listening on an https_port > in the default forward proxy mode). > HTH, > Alex. > P.S. "Peering support for SslBump" functionality was added in Squid v5, but > you should use Squid v7+. > _______________________________________________ > squid-users mailing list > [email protected] > https://lists.squid-cache.org/listinfo/squid-users -- Best regards, Anthony _______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
