[squid-users] ssl bump + never_direct

Alex Rousskov rousskov at measurement-factory.com
Tue Jan 27 18:37:00 UTC 2026

Previous message (by thread): [squid-users] ssl bump + never_direct
Next message (by thread): [squid-users] ssl bump + never_direct
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2026-01-27 09:36, Anthony Pankov wrote:
> Tuesday, January 27, 2026, 4:58:34 PM, you wrote:
> 
>> On 2026-01-27 06:46, Anthony Pankov wrote:
> 
>>> I'm wandering is it possible and what the logic will be if configure
>>> squid for ssl bumping and to always go to  cache_peer (never direct)
>>> at the same time?
> 
>> Squid does not support "TLS inside TLS" yet, resulting in the following three possible use cases/answers:
> 
>> Bugs notwithstanding, bumping client traffic while talking to a cache_peer
> 
>> * ... should be possible if that cache_peer listens for plain text HTTP connections (e.g., cache_peer is a Squid instance listening on an http_port). Just configure Squid to always go to that cache_peer (see never_direct directive documentation). When forwarding bumped traffic, Squid will send a plain text CONNECT request to that cache_peer (and forward TLS traffic inside that CONNECT tunnel).

> I'm mostly interesting about SSLBump steps. Its  include "Get TLS Server Hello info from the server, including the server certificate" [https://wiki.squid-cache.org/Features/SslPeekAndSplice].
> Does squid will go to origin server in a Bump step for "Server hello" despite the never_direct configuration?

Short answer: "Yes".

At TCP level, Squid will connect to the cache_peer and ask that 
cache_peer to connect to the origin server, creating a TCP tunnel. At 
TLS level, Squid will be talking to the TLS origin server (using that 
TCP tunnel through the cache_peer).


HTH,

Alex.



>> * ... may also be possible if that cache_peer is an originserver peer that listens for TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in "accel" mode). I am not sure whether Squid has enough code to handle this configuration. Same never_direct configuration approach would apply here. When forwarding bumped traffic, Squid will open a TLS connection to that cache_peer.
> 
>> * ... is not possible if that cache_peer is a proxy that listens for TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in the default forward proxy mode).
> 
> 
>> HTH,
> 
>> Alex.
>> P.S. "Peering support for SslBump" functionality was added in Squid v5, but you should use Squid v7+.
> 
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
> 
>

Previous message (by thread): [squid-users] ssl bump + never_direct
Next message (by thread): [squid-users] ssl bump + never_direct
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list