On 2026-01-27 09:36, Anthony Pankov wrote:
Tuesday, January 27, 2026, 4:58:34 PM, you wrote:
On 2026-01-27 06:46, Anthony Pankov wrote:
I'm wandering is it possible and what the logic will be if configure
squid for ssl bumping and to always go to cache_peer (never direct)
at the same time?
Squid does not support "TLS inside TLS" yet, resulting in the following three
possible use cases/answers:
Bugs notwithstanding, bumping client traffic while talking to a cache_peer
* ... should be possible if that cache_peer listens for plain text HTTP
connections (e.g., cache_peer is a Squid instance listening on an http_port).
Just configure Squid to always go to that cache_peer (see never_direct
directive documentation). When forwarding bumped traffic, Squid will send a
plain text CONNECT request to that cache_peer (and forward TLS traffic inside
that CONNECT tunnel).
I'm mostly interesting about SSLBump steps. Its include "Get TLS Server Hello info
from the server, including the server certificate"
[https://wiki.squid-cache.org/Features/SslPeekAndSplice].
Does squid will go to origin server in a Bump step for "Server hello" despite
the never_direct configuration?
Short answer: "Yes".
At TCP level, Squid will connect to the cache_peer and ask that
cache_peer to connect to the origin server, creating a TCP tunnel. At
TLS level, Squid will be talking to the TLS origin server (using that
TCP tunnel through the cache_peer).
HTH,
Alex.
* ... may also be possible if that cache_peer is an originserver peer that listens for
TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in
"accel" mode). I am not sure whether Squid has enough code to handle this
configuration. Same never_direct configuration approach would apply here. When forwarding
bumped traffic, Squid will open a TLS connection to that cache_peer.
* ... is not possible if that cache_peer is a proxy that listens for TLS
connections (e.g., cache_peer is a Squid instance listening on an https_port in
the default forward proxy mode).
HTH,
Alex.
P.S. "Peering support for SslBump" functionality was added in Squid v5, but you
should use Squid v7+.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
