[squid-dev] forward bumped traffic to parent in plain form

Alex Rousskov rousskov at measurement-factory.com
Wed Mar 4 18:43:45 UTC 2026

Previous message (by thread): [squid-dev] forward bumped traffic to parent in plain form
Next message (by thread): [squid-dev] forward bumped traffic to parent in plain form
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2026-03-04 11:03, Anthony Pankov wrote:

> I still want to modify squid in such a way that it can forward
> clients http traffic to a parent cache in plain form. I mean after
> bumping ssl (forntend-squid establish tls connection with a client)
> requests from client should goes to parent cache as a plain http (
> GET etc.)

Let's split this problem into two parts:

Part 1: Bumping the client.

Do you want your Squid to bump the TLS client connection without talking 
to the TLS origin server? Bugs notwithstanding, that should already be 
possible using unsupported "ssl_bump client-first all" or, after 
defining step1,

     ssl_bump stare step1
     ssl_bump bump all

Or does the client need to see something from the TLS origin server 
certificate to work correctly? In that case, you have to use something 
like "ssl_bump stare all" but it will complicate Part 2 changes.

Part 2: Forwarding bumped GET requests to cache_peers "as is", without a 
second layer of encryption.

This part depends on Part 1. Let's come back to this after Part 1 is 
working.

HTH,

Alex.

> Connection between squids servers is already encrypted so I don't need any additional tls(security) layer.
> 
> Also, for simplification, I assume never_direct directive for this traffic on a front-end.
> I understand that it will preclude any checks for origin server certificate but this is not a problem because policy for origin may be applied in a parent cache.
> 
> I tried to modify FwdState::noteConnection to avoid establishTunnelThruProxy() and FwdState::secureConnectionToPeerIfNeeded  to avoid secureConnectionToPeer() but has no lack.
> 
> They use request.flags  sslBumped and sslPeek that I do not fully understand. sslPeek described as "internal ssl-bump request to get server cert" but it always True when I'm in noteConnection.
> 
> Also I noted  async SslBumpEstablish which call switchToHttps. Because of asyncs I can't fully understand where I can preclude switching connections to parent cache to "CONNECT" mode rather than using it plain.
> 
> Any help would be appreciated.
> 
>

Previous message (by thread): [squid-dev] forward bumped traffic to parent in plain form
Next message (by thread): [squid-dev] forward bumped traffic to parent in plain form
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-dev mailing list