[squid-users] Squid integration with Netskope forward to proxy

[Alex Rousskov]

On 2026-01-13 07:45, Ben Goz wrote:

> I'm using ssl-bump it's cooperate with https_port?

* https_port in an "intercept" or "tproxy" mode supports SslBump (and 
requires an "ssl-bump" option).

* https_port in other modes, including the default forward proxy mode, 
does not support SslBump (and prohibits an "ssl-bump" option).

Squid will correctly reject unsupported configurations, but the 
corresponding documentation is missing. That is a known Squid bug:
https://bugs.squid-cache.org/show_bug.cgi?id=5092

We tried to fix that documentation bug, but failed:
https://github.com/squid-cache/squid/pull/1981

Alex.


> ‫בתאריך יום ב׳, 12 בינו׳ 2026 ב-19:12 מאת ‪Amos Jeffries‬‏ 
> <‪squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>‬‏>:‬
> 
>     On 12/01/2026 21:44, Matus UHLAR - fantomas wrote:
>      > On 11.01.26 16:58, Ben Goz wrote:
>      >> My customer netskope cloud configures forward to proxy to my
>     squid proxy.
>      >> The forwarding works only if Netskope's ssl decryption disabled,
>     If ssl
>      >> decryption enabled
>      >> I can't see in the access log the traffic forwards to squid from
>      >> Netskope.
>      >>
>      >> I suspect that Netskope forwards encrypted data to squid but I'm
>     not sure
>      >> that is the case because the Connect request is never encrypted
>     and I
>      >> don't
>      >> see it on the access log.
>      >
>      >
>      >> Anyones know how Netskope and squid can work together without
>     disabling
>      >> Netskope decryption (MITM)?
>      >
>      > This is completely issue of netskope proxy.
>      >
>      > If netskope proxy decides to forward or not to forward request to
>     squid,
>      > squid can't do anything with it.
> 
> 
>     Nod. If there is no CONNECT tunnel request reaching Squid then it is
>     not
>     being forwarded in the classical "over-HTTP" way.
> 
>     I would check to see what is happening on port 443 when the traffic is
>     "forwarded". HTTPS may actually be routed rather than relayed/proxied.
>     Or perhapse it is being sent to some other port number, though how to
>     find that may require asking your customer or Netskope directly for
>     more
>     details on how it is setup there.
> 
> 
>     FWIW, Squid can receive HTTPS/443 traffic fine. Just use "https_port"
>     (note the 's') to receive it instead of the regular HTTP port, and will
>     need a SSL server certificate (can be self-signed) for your Squid which
>     the customer software trusts.
> 
> 
>     HTH
>     Amos
> 
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users