[squid-dev] forward bumped traffic to parent in plain form
Anthony Pankov
anthony.pankov at yahoo.com
Thu Mar 5 09:26:59 UTC 2026
Wednesday, March 4, 2026, 9:43:45 PM, you wrote:
> On 2026-03-04 11:03, Anthony Pankov wrote:
>> I still want to modify squid in such a way that it can forward
>> clients http traffic to a parent cache in plain form. I mean after
>> bumping ssl (forntend-squid establish tls connection with a client)
>> requests from client should goes to parent cache as a plain http (
>> GET etc.)
> Let's split this problem into two parts:
> Part 1: Bumping the client.
> Do you want your Squid to bump the TLS client connection without talking to the TLS origin server?
Yes, for simplicity.
> Bugs notwithstanding, that should already be possible using unsupported "ssl_bump client-first all" or,
common conf :
http_port 100.100.100.100:8080 ssl-bump generate-host-certificates=on \
options=CIPHER_SERVER_PREFERENCE,NO_TLSv1,NO_SSLv3,NO_TLSv1_1 \
tls-dh=prime256v1:/usr/local/etc/squid/sq-dhparams.pem \
tls-cert=/usr/local/etc/squid/imc+.ots101.crt \
tls-key=/usr/local/etc/squid/key.ots101-imc.pem \
dynamic_cert_mem_cache_size=10MB
acl ssl_bump_step_1 at_step SslBump1
acl ssl_bump_step_2 at_step SslBump2
acl ssl_bump_step_3 at_step SslBump3
with this conf:
ssl_bump client-first all
There is an error on the client (NO_CIPHER_OVERLAP) and error on squid:
2026/03/05 11:33:45 kid1| ERROR: Cannot accept a TLS connection
problem: failure
error detail: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A0000C1+TLS_IO_ERR=1
> after defining step1,
> ssl_bump stare step1
> ssl_bump bump all
with this conf:
ssl_bump stare ssl_bump_step_1
ssl_bump bump all
I've got in squid-fronted:
2026/03/05 12:14:38 kid1| Squid plugin modules loaded: 0
2026/03/05 12:14:38 kid1| Accepting SSL bumped HTTP Socket connections at conn6 local=100.100.100.100:8080 remote=[::] FD 16 flags=9
listening port: 100.100.100.100:8080
2026/03/05 12:15:18.505 kid1| 44,3| peer_select.cc(305) peerSelect: e:=IV/0x1a717e19d520*3 www.freshports.org:443
2026/03/05 12:15:18.505 kid1| 44,3| peer_select.cc(609) selectMore: CONNECT www.freshports.org
2026/03/05 12:15:18.505 kid1| 44,3| peer_select.cc(622) selectMore: direct = DIRECT_UNKNOWN (never_direct to be checked)
2026/03/05 12:15:18.505 kid1| 44,3| peer_select.cc(340) checkNeverDirectDone: ALLOWED
2026/03/05 12:15:18.505 kid1| 44,3| peer_select.cc(346) checkNeverDirectDone: direct = DIRECT_NO (never_direct allow)
2026/03/05 12:15:18.506 kid1| 44,3| peer_select.cc(609) selectMore: CONNECT www.freshports.org
2026/03/05 12:15:18.506 kid1| 44,3| peer_select.cc(282) peerSelectIcpPing: www.freshports.org:443
2026/03/05 12:15:18.506 kid1| 44,3| peer_select.cc(293) peerSelectIcpPing: counted 0 neighbors
2026/03/05 12:15:18.506 kid1| 44,3| peer_select.cc(828) selectSomeParent: CONNECT www.freshports.org
2026/03/05 12:15:18.507 kid1| 44,3| peer_select.cc(1097) addSelection: adding FIRSTUP_PARENT/fd05:562e:5a23::e25:3101
2026/03/05 12:15:18.507 kid1| 44,3| peer_select.cc(1091) addSelection: skipping ANY_OLD_PARENT/fd05:562e:5a23::e25:3101; have FIRSTUP_PARENT/fd05:562e:5a23::e25:3101
2026/03/05 12:15:18.507 kid1| 44,2| peer_select.cc(454) resolveSelected: Find IP destination for: www.freshports.org:443' via fd05:562e:5a23::e25:3101
2026/03/05 12:15:18.507 kid1| 44,2| peer_select.cc(1168) handlePath: PeerSelector1 found conn13 local=[fd05:562e:5a23::212:2e01] remote=[fd05:562e:5a23::e25:3101]:54321 FIRSTUP_PARENT flags=1, destination #1 for www.freshports.org:443
2026/03/05 12:15:18.507 kid1| 44,2| peer_select.cc(1174) handlePath: always_direct = DENIED
2026/03/05 12:15:18.508 kid1| 44,2| peer_select.cc(1175) handlePath: never_direct = ALLOWED
2026/03/05 12:15:19.106 kid1| 44,3| peer_select.cc(609) selectMore: GET www.freshports.org
2026/03/05 12:15:19.106 kid1| 44,3| peer_select.cc(1097) addSelection: adding PINNED/fd05:562e:5a23::e25:3101
2026/03/05 12:15:19.107 kid1| 44,3| peer_select.cc(828) selectSomeParent: GET www.freshports.org
2026/03/05 12:15:19.107 kid1| 44,3| peer_select.cc(1097) addSelection: adding FIRSTUP_PARENT/fd05:562e:5a23::e25:3101
...
2026/03/05 12:15:19.315 kid1| 44,2| peer_select.cc(476) resolveSelected: timedout =
0
2026/03/05 12:15:19.315 kid1| 44,3| peer_select.cc(242) ~PeerSelector: www.freshports.org:
443
2026/03/05 12:15:19 kid1| ERROR: Cannot accept a TLS connection
problem: failure
error detail: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
2026/03/05 12:15:19.794 kid1| 44,3| peer_select.cc(305) peerSelect: e:=IV/0x1a7180adf360*3 https://www.freshports.org/css/freshports.css?v=e1590210
2026/03/05 12:15:19.794 kid1| 44,3| peer_select.cc(609) selectMore: GET www.freshports.org
2026/03/05 12:15:19.794 kid1| 44,3| peer_select.cc(622) selectMore: direct = DIRECT_UNKNOWN (never_direct to be checked)
...
2026/03/05 12:15:19.797 kid1| 44,2| peer_select.cc(1168) handlePath: PeerSelector5 found c
onn28 local=[fd05:562e:5a23::212:2e01] remote=[fd05:562e:5a23::e25:3101]:54321 FIRSTUP_PAR
ENT flags=1, destination #2 for https://www.freshports.org/css/freshports.css?v=e1590210
2026/03/05 12:15:19.797 kid1| 44,2| peer_select.cc(1174) handlePath: always_direct = DEN
IED
2026/03/05 12:15:19.797 kid1| 44,2| peer_select.cc(1175) handlePath: never_direct = ALL
OWED
2026/03/05 12:15:19.797 kid1| 44,2| peer_select.cc(1176) handlePath: timedout = 0
2026/03/05 12:15:19.798 kid1| 44,2| peer_select.cc(473) resolveSelected: PeerSelector5 fou
nd all 2 destinations for https://www.freshports.org/css/freshports.css?v=e1590210
2026/03/05 12:15:19.798 kid1| 44,2| peer_select.cc(474) resolveSelected: always_direct =
DENIED
2026/03/05 12:15:19.798 kid1| 44,2| peer_select.cc(475) resolveSelected: never_direct =
ALLOWED
2026/03/05 12:15:19.798 kid1| 44,2| peer_select.cc(476) resolveSelected: timedout =
0
2026/03/05 12:15:19.798 kid1| 44,3| peer_select.cc(242) ~PeerSelector: https://www.freshpo
rts.org/css/freshports.css?v=e1590210
2026/03/05 12:15:19.953 kid1| 44,3| peer_select.cc(305) peerSelect: e:=IV/0x1a7180adf360*3
https://www.freshports.org/javascript/freshports.js
2026/03/05 12:15:19.953 kid1| 44,3| peer_select.cc(609) selectMore: GET www.freshports.org
2026/03/05 12:15:19.954 kid1| 44,3| peer_select.cc(622) selectMore: direct = DIRECT_UNKNOW
N (never_direct to be checked)
2026/03/05 12:15:19.954 kid1| 44,3| peer_select.cc(340) checkNeverDirectDone: ALLOWED
2026/03/05 12:15:19.954 kid1| 44,3| peer_select.cc(346) checkNeverDirectDone: direct = DIR
ECT_NO (never_direct allow)
2026/03/05 12:15:19.955 kid1| 44,3| peer_select.cc(609) selectMore: GET www.freshports.org
2026/03/05 12:15:19.955 kid1| 44,3| peer_select.cc(1097) addSelection: adding PINNED/fd05:
562e:5a23::e25:3101
2026/03/05 12:15:19.955 kid1| 44,3| peer_select.cc(828) selectSomeParent: GET www.freshpor
ts.org
...
On the peer-cache I've got:
1772699911.111 30800 fd05:562e:5a23::212:2e01 TCP_MISS/200 4121 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772699911.133 31111 fd05:562e:5a23::212:2e01 TCP_MISS/200 4121 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772699911.133 31282 fd05:562e:5a23::212:2e01 TCP_MISS/200 4047 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772699909.281 33135 fd05:562e:5a23::212:2e01 TCP_MISS/200 249625 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772699911.133 31510 fd05:562e:5a23::212:2e01 TCP_MISS/200 4120 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772699910.418 32225 fd05:562e:5a23::212:2e01 TCP_MISS/200 6160 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772701843.186 255 fd05:562e:5a23::212:2e01 TCP_MISS/200 3611 CONNECT www.googletagmanager.com:443/ - DIRECT/www.googletagmanager.com -
1772701843.192 12188 fd05:562e:5a23::212:2e01 TCP_MISS/200 5214 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772701842.385 12995 fd05:562e:5a23::212:2e01 TCP_MISS/200 251669 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772701843.856 11524 fd05:562e:5a23::212:2e01 TCP_MISS/200 5100 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772701869.957 178 fd05:562e:5a23::212:2e01 TCP_MISS/200 3611 CONNECT www.googletagmanager.com:443/ - DIRECT/www.googletagmanager.com -
1772701869.963 31903 fd05:562e:5a23::212:2e01 TCP_MISS/200 5360 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
1772701869.280 33510 fd05:562e:5a23::212:2e01 TCP_MISS/200 251916 CONNECT www.freshports.org:443/ - DIRECT/www.freshports.org -
Not worked, unfortunately.
> Or does the client need to see something from the TLS origin server certificate to work correctly?
No. I mean split policy for now: client<->squid-fronted, peer_cache<->origin
> In that case, you have to use something like "ssl_bump stare all" but it will complicate Part 2 changes.
> Part 2: Forwarding bumped GET requests to cache_peers "as is", without a second layer of encryption.
> This part depends on Part 1. Let's come back to this after Part 1 is working.
> HTH,
> Alex.
>> Connection between squids servers is already encrypted so I don't need any additional tls(security) layer.
>> > Also, for simplification, I assume never_direct directive for this traffic on a front-end.
>> I understand that it will preclude any checks for origin server certificate but this is not a problem because policy for origin may be applied in a parent cache.
>> > I tried to modify FwdState::noteConnection to avoid establishTunnelThruProxy() and FwdState::secureConnectionToPeerIfNeeded to avoid secureConnectionToPeer() but has no lack.
>> > They use request.flags sslBumped and sslPeek that I do not fully understand. sslPeek described as "internal ssl-bump request to get server cert" but it always True when I'm in noteConnection.
>> > Also I noted async SslBumpEstablish which call switchToHttps. Because of asyncs I can't fully understand where I can preclude switching connections to parent cache to "CONNECT" mode rather than using it plain.
>> > Any help would be appreciated.
>> >
--
Best regards,
Anthony
More information about the squid-dev
mailing list