[squid-users] ssl bump + never_direct

[Alex Rousskov]

On 2026-01-27 06:46, Anthony Pankov wrote:

> I'm wandering is it possible and what the logic will be if configure
> squid for ssl bumping and to always go to  cache_peer (never direct)
> at the same time?

Squid does not support "TLS inside TLS" yet, resulting in the following 
three possible use cases/answers:

Bugs notwithstanding, bumping client traffic while talking to a cache_peer

* ... should be possible if that cache_peer listens for plain text HTTP 
connections (e.g., cache_peer is a Squid instance listening on an 
http_port). Just configure Squid to always go to that cache_peer (see 
never_direct directive documentation). When forwarding bumped traffic, 
Squid will send a plain text CONNECT request to that cache_peer (and 
forward TLS traffic inside that CONNECT tunnel).

* ... may also be possible if that cache_peer is an originserver peer 
that listens for TLS connections (e.g., cache_peer is a Squid instance 
listening on an https_port in "accel" mode). I am not sure whether Squid 
has enough code to handle this configuration. Same never_direct 
configuration approach would apply here. When forwarding bumped traffic, 
Squid will open a TLS connection to that cache_peer.

* ... is not possible if that cache_peer is a proxy that listens for TLS 
connections (e.g., cache_peer is a Squid instance listening on an 
https_port in the default forward proxy mode).


HTH,

Alex.
P.S. "Peering support for SslBump" functionality was added in Squid v5, 
but you should use Squid v7+.