On 2026-02-18 06:40, Anthony Pankov wrote:
Hello Alex,
Tuesday, January 27, 2026, 4:58:34 PM, you wrote:
On 2026-01-27 06:46, Anthony Pankov wrote:
I'm wandering is it possible and what the logic will be if configure
squid for ssl bumping and to always go to cache_peer (never direct)
at the same time?
Squid does not support "TLS inside TLS" yet, resulting in the following three
possible use cases/answers:
Bugs notwithstanding, bumping client traffic while talking to a cache_peer
* ... should be possible if that cache_peer listens for plain text HTTP
connections (e.g., cache_peer is a Squid instance listening on an http_port).
Just configure Squid to always go to that cache_peer (see never_direct
directive documentation). When forwarding bumped traffic, Squid will send a
plain text CONNECT request to that cache_peer (and forward TLS traffic inside
that CONNECT tunnel).
Is it somehow possible to forward all bumped traffic to peer (never_direct) as
plain http?
Client - (tls) - Squid - (plain http) - Peer - (tls) - Origin
Probably not.
Is it possible to make frontline Squid a TLS terminator (light
cacher) while Peer will do heavy caching and Origin interaction?
In a reverse proxy mode, Squid can terminate TLS, but that is not what
SslBump does. The two modes are mutually exclusive.
In SslBump context, Squid should forward incoming bumped requests over
the original/bumped connection to the TLS origin server. There are
probably bugs in connection pinning area, but I am not aware of any bugs
that would result in bumped requests leaving Squid unencrypted.
If you want plain text analysis, use an ICAP or eCAP REQMOD adaptation
service (that can forward traffic to/from any proxy if needed).
HTH,
Alex.
* ... may also be possible if that cache_peer is an originserver peer that listens for
TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in
"accel" mode). I am not sure whether Squid has enough code to handle this
configuration. Same never_direct configuration approach would apply here. When forwarding
bumped traffic, Squid will open a TLS connection to that cache_peer.
* ... is not possible if that cache_peer is a proxy that listens for TLS
connections (e.g., cache_peer is a Squid instance listening on an https_port in
the default forward proxy mode).
HTH,
Alex.
P.S. "Peering support for SslBump" functionality was added in Squid v5, but you
should use Squid v7+.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
