Tuesday, January 27, 2026, 9:37:00 PM, you wrote: > On 2026-01-27 09:36, Anthony Pankov wrote: >> Tuesday, January 27, 2026, 4:58:34 PM, you wrote: >> >> On 2026-01-27 06:46, Anthony Pankov wrote: >> >>> I'm wandering is it possible and what the logic will be if configure >>>> squid for ssl bumping and to always go to cache_peer (never direct) >>>> at the same time? >> >> Squid does not support "TLS inside TLS" yet, resulting in the following >> >> three possible use cases/answers: >> >> Bugs notwithstanding, bumping client traffic while talking to a cache_peer >> >> * ... should be possible if that cache_peer listens for plain text HTTP >> >> connections (e.g., cache_peer is a Squid instance listening on an >> >> http_port). Just configure Squid to always go to that cache_peer (see >> >> never_direct directive documentation). When forwarding bumped traffic, >> >> Squid will send a plain text CONNECT request to that cache_peer (and >> >> forward TLS traffic inside that CONNECT tunnel).
>> I'm mostly interesting about SSLBump steps. Its include "Get TLS Server >> Hello info from the server, including the server certificate" >> [https://wiki.squid-cache.org/Features/SslPeekAndSplice]. >> Does squid will go to origin server in a Bump step for "Server hello" >> despite the never_direct configuration? > Short answer: "Yes". > At TCP level, Squid will connect to the cache_peer and ask that cache_peer to > connect to the origin server, creating a TCP tunnel. At TLS level, Squid will > be talking to the TLS origin server (using that TCP tunnel through the > cache_peer). Great! It is really amazing that nowadays software do things the right way strictly conforming standards and logic. Thank you. >>> * ... may also be possible if that cache_peer is an originserver peer that >>> listens for TLS connections (e.g., cache_peer is a Squid instance listening >>> on an https_port in "accel" mode). I am not sure whether Squid has enough >>> code to handle this configuration. Same never_direct configuration approach >>> would apply here. When forwarding bumped traffic, Squid will open a TLS >>> connection to that cache_peer. >> >> * ... is not possible if that cache_peer is a proxy that listens for TLS >> >> connections (e.g., cache_peer is a Squid instance listening on an >> >> https_port in the default forward proxy mode). >> > >> HTH, >> >> Alex. >>> P.S. "Peering support for SslBump" functionality was added in Squid v5, but >>> you should use Squid v7+. >> >> _______________________________________________ >>> squid-users mailing list >>> [email protected] >>> https://lists.squid-cache.org/listinfo/squid-users >> > -- Best regards, Anthony _______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
