[squid-users] ssl bump + never_direct

Alex Rousskov rousskov at measurement-factory.com
Wed Feb 18 17:00:31 UTC 2026

Previous message (by thread): [squid-users] ssl bump + never_direct
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2026-02-18 06:40, Anthony Pankov wrote:
> Hello Alex,
> 
> Tuesday, January 27, 2026, 4:58:34 PM, you wrote:
> 
>> On 2026-01-27 06:46, Anthony Pankov wrote:
> 
>>> I'm wandering is it possible and what the logic will be if configure
>>> squid for ssl bumping and to always go to  cache_peer (never direct)
>>> at the same time?
> 
>> Squid does not support "TLS inside TLS" yet, resulting in the following three possible use cases/answers:
> 
>> Bugs notwithstanding, bumping client traffic while talking to a cache_peer
> 
>> * ... should be possible if that cache_peer listens for plain text HTTP connections (e.g., cache_peer is a Squid instance listening on an http_port). Just configure Squid to always go to that cache_peer (see never_direct directive documentation). When forwarding bumped traffic, Squid will send a plain text CONNECT request to that cache_peer (and forward TLS traffic inside that CONNECT tunnel).
> 
> 
> Is it somehow possible to forward all bumped traffic to peer (never_direct)  as plain http?
> 
> Client - (tls) - Squid - (plain http) - Peer - (tls) - Origin

Probably not.

> Is it possible to make frontline Squid a TLS terminator (light
> cacher)  while Peer will do heavy caching and Origin interaction?

In a reverse proxy mode, Squid can terminate TLS, but that is not what 
SslBump does. The two modes are mutually exclusive.

In SslBump context, Squid should forward incoming bumped requests over 
the original/bumped connection to the TLS origin server. There are 
probably bugs in connection pinning area, but I am not aware of any bugs 
that would result in bumped requests leaving Squid unencrypted.

If you want plain text analysis, use an ICAP or eCAP REQMOD adaptation 
service (that can forward traffic to/from any proxy if needed).


HTH,

Alex.

>> * ... may also be possible if that cache_peer is an originserver peer that listens for TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in "accel" mode). I am not sure whether Squid has enough code to handle this configuration. Same never_direct configuration approach would apply here. When forwarding bumped traffic, Squid will open a TLS connection to that cache_peer.
> 
>> * ... is not possible if that cache_peer is a proxy that listens for TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in the default forward proxy mode).
> 
> 
>> HTH,
> 
>> Alex.
>> P.S. "Peering support for SslBump" functionality was added in Squid v5, but you should use Squid v7+.
> 
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
> 
>

Previous message (by thread): [squid-users] ssl bump + never_direct
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list