[squid-users] ssl bump + never_direct

Anthony Pankov anthony.pankov at yahoo.com
Wed Jan 28 08:41:13 UTC 2026

Previous message (by thread): [squid-users] ssl bump + never_direct
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tuesday, January 27, 2026, 9:37:00 PM, you wrote:

> On 2026-01-27 09:36, Anthony Pankov wrote:
>> Tuesday, January 27, 2026, 4:58:34 PM, you wrote:
>> >> On 2026-01-27 06:46, Anthony Pankov wrote:
>> >>> I'm wandering is it possible and what the logic will be if configure
>>>> squid for ssl bumping and to always go to  cache_peer (never direct)
>>>> at the same time?
>> >> Squid does not support "TLS inside TLS" yet, resulting in the following three possible use cases/answers:
>> >> Bugs notwithstanding, bumping client traffic while talking to a cache_peer
>> >> * ... should be possible if that cache_peer listens for plain text HTTP connections (e.g., cache_peer is a Squid instance listening on an http_port). Just configure Squid to always go to that cache_peer (see never_direct directive documentation). When forwarding bumped traffic, Squid will send a plain text CONNECT request to that cache_peer (and forward TLS traffic inside that CONNECT tunnel).

>> I'm mostly interesting about SSLBump steps. Its  include "Get TLS Server Hello info from the server, including the server certificate" [https://wiki.squid-cache.org/Features/SslPeekAndSplice].
>> Does squid will go to origin server in a Bump step for "Server hello" despite the never_direct configuration?

> Short answer: "Yes".

> At TCP level, Squid will connect to the cache_peer and ask that cache_peer to connect to the origin server, creating a TCP tunnel. At TLS level, Squid will be talking to the TLS origin server (using that TCP tunnel through the cache_peer).

Great! It is really amazing that nowadays software do things  the right way strictly conforming standards and logic.

Thank you.

>>> * ... may also be possible if that cache_peer is an originserver peer that listens for TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in "accel" mode). I am not sure whether Squid has enough code to handle this configuration. Same never_direct configuration approach would apply here. When forwarding bumped traffic, Squid will open a TLS connection to that cache_peer.
>> >> * ... is not possible if that cache_peer is a proxy that listens for TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in the default forward proxy mode).
>> > >> HTH,
>> >> Alex.
>>> P.S. "Peering support for SslBump" functionality was added in Squid v5, but you should use Squid v7+.
>> >> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> https://lists.squid-cache.org/listinfo/squid-users
>> > 


-- 
Best regards,
Anthony

Previous message (by thread): [squid-users] ssl bump + never_direct
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list