2026-03-05

Author: squidadm

squid-dev/2026-March.txt

@@ -375,3 +375,95 @@ Best regards,
 Anthony
 
 
+From rousskov at measurement-factory.com  Thu Mar  5 17:13:26 2026
+From: rousskov at measurement-factory.com (Alex Rousskov)
+Date: Thu, 5 Mar 2026 12:13:26 -0500
+Subject: [squid-dev] forward bumped traffic to parent in plain form
+In-Reply-To: <1478043664.20260305122659@yahoo.com>
+References: <1985119311.20260304190328.ref@yahoo.com>
+ <1985119311.20260304190328@yahoo.com>
+ <70faedf9-2e5d-4934-b837-874940f81a4b@measurement-factory.com>
+ <1478043664.20260305122659@yahoo.com>
+Message-ID: <30a55c20-f80b-4a5f-be94-352a6a567a9c@measurement-factory.com>
+
+On 2026-03-05 04:26, Anthony Pankov wrote:
+> Wednesday, March 4, 2026, 9:43:45 PM, Alex wrote:
+>> On 2026-03-04 11:03, Anthony Pankov wrote:
+>>> I still want to modify squid in such a way that it can forward
+>>> clients http traffic to a parent cache in plain form. I mean after
+>>> bumping ssl (forntend-squid establish tls connection with a client)
+>>> requests from client should goes to parent cache as a plain http (
+>>> GET etc.)
+> 
+>> Let's split this problem into two parts:
+> 
+>> Part 1: Bumping the client.
+> 
+>> Do you want your Squid to bump the TLS client connection without talking to the TLS origin server?
+> Yes, for simplicity.
+> 
+>>   Bugs notwithstanding, that should already be possible using unsupported "ssl_bump client-first all" or,
+> 
+> common conf :
+> 
+> http_port 100.100.100.100:8080 ssl-bump generate-host-certificates=on \
+>    options=CIPHER_SERVER_PREFERENCE,NO_TLSv1,NO_SSLv3,NO_TLSv1_1 \
+>    tls-dh=prime256v1:/usr/local/etc/squid/sq-dhparams.pem \
+>    tls-cert=/usr/local/etc/squid/imc+.ots101.crt \
+>    tls-key=/usr/local/etc/squid/key.ots101-imc.pem \
+>    dynamic_cert_mem_cache_size=10MB
+> 
+> ssl_bump client-first all
+> 
+> There is an error on the client (NO_CIPHER_OVERLAP) and error on squid
+
+OK. It sounds like the TLS client is unhappy with the unsupported 
+client-first mode. Let's forget about that mode and focus on supported ones:
+
+
+> ssl_bump stare ssl_bump_step_1
+> ssl_bump bump all
+> 
+>   I've got in squid-fronted:
+> 
+
+> 2026/03/05 12:15:18.505 kid1| 44,3| peer_select.cc(305) ...
+
+Peer selection is Part 2. Before we get into that, we need to make sure 
+that your Squid can bump the client _without_ getting into FwdState.cc, 
+peer_select.cc, etc. Squid-to-peer logic.
+
+It is not clear to me yet whether bumping the client was successful in 
+the above test. To confirm, please test using an HTTPS client that sends 
+something that does not require Squid-to-peer communication from HTTP 
+point of view. Squid should generate the response internally. The client 
+should successfully get that Squid-generated response.
+
+Here are some suggestions:
+
+1. GET request with an "unsupported-scheme://a.test/" URL.
+2. TRACE request with a "Max-Forwards: 0" header.
+3. Non-HTTP (i.e. unparseable as HTTP) garbage with enough new lines
+    to let Squid find the "end" of "headers".
+
+For Part 1, your goal is to prove that your HTTPS client successfully 
+communicates with your Squid with zero packets going to peers or origin 
+servers. You can even add a temporary "assert(false)" to 
+FwdState::FwdState() to be reasonably sure.
+
+I hope this goal can be accomplished without Squid source code changes, 
+but I cannot promise that.
+
+
+HTH,
+
+Alex.
+
+
+
+>> Part 2: Forwarding bumped GET requests to cache_peers "as is", without a second layer of encryption.
+> 
+>> This part depends on Part 1. Let's come back to this after Part 1 is working.
+
+
+

squid-dev/2026-March/009981.html

@@ -12,7 +12,7 @@
            }
    </style>
    <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
-   <LINK REL="Previous"  HREF="009983.html">
+   <LINK REL="Previous"  HREF="009984.html">
    <LINK REL="Next"  HREF="009982.html">
  </HEAD>
  <BODY BGCOLOR="#ffffff">
@@ -23,7 +23,7 @@ <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
        </A><BR>
     <I>Thu Mar  5 07:55:03 UTC 2026</I>
     <P><UL>
-        <LI>Previous message (by thread): <A HREF="009983.html">[squid-dev] forward bumped traffic to parent in plain form
+        <LI>Previous message (by thread): <A HREF="009984.html">[squid-dev] forward bumped traffic to parent in plain form
 </A></li>
         <LI>Next message (by thread): <A HREF="009982.html">[squid-dev] forward bumped traffic to parent in plain form
 </A></li>
@@ -80,11 +80,12 @@ <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
 
 
 
+
 <!--endarticle-->
     <HR>
     <P><UL>
         <!--threads-->
-	<LI>Previous message (by thread): <A HREF="009983.html">[squid-dev] forward bumped traffic to parent in plain form
+	<LI>Previous message (by thread): <A HREF="009984.html">[squid-dev] forward bumped traffic to parent in plain form
 </A></li>
 	<LI>Next message (by thread): <A HREF="009982.html">[squid-dev] forward bumped traffic to parent in plain form
 </A></li>

squid-dev/2026-March/009982.html

@@ -77,6 +77,7 @@ <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
 </PRE>
 
 
+
 <!--endarticle-->
     <HR>
     <P><UL>

squid-dev/2026-March/009983.html

@@ -13,7 +13,7 @@
    </style>
    <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
    <LINK REL="Previous"  HREF="009980.html">
-   <LINK REL="Next"  HREF="009981.html">
+   <LINK REL="Next"  HREF="009984.html">
  </HEAD>
  <BODY BGCOLOR="#ffffff">
    <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
@@ -25,7 +25,7 @@ <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
     <P><UL>
         <LI>Previous message (by thread): <A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
 </A></li>
-        <LI>Next message (by thread): <A HREF="009981.html">[squid-dev] forward bumped traffic to parent in plain form
+        <LI>Next message (by thread): <A HREF="009984.html">[squid-dev] forward bumped traffic to parent in plain form
 </A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#9983">[ date ]</a>
@@ -211,13 +211,14 @@ <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
 
 </PRE>
 
+
 <!--endarticle-->
     <HR>
     <P><UL>
         <!--threads-->
 	<LI>Previous message (by thread): <A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
 </A></li>
-	<LI>Next message (by thread): <A HREF="009981.html">[squid-dev] forward bumped traffic to parent in plain form
+	<LI>Next message (by thread): <A HREF="009984.html">[squid-dev] forward bumped traffic to parent in plain form
 </A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#9983">[ date ]</a>

squid-dev/2026-March/009984.html

@@ -0,0 +1,140 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [squid-dev] forward bumped traffic to parent in plain form
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:squid-dev%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-dev%5D%20forward%20bumped%20traffic%20to%20parent%20in%20plain%20form&In-Reply-To=%3C30a55c20-f80b-4a5f-be94-352a6a567a9c%40measurement-factory.com%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <style type="text/css">
+       pre {
+           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
+           }
+   </style>
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="009983.html">
+   <LINK REL="Next"  HREF="009981.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
+    <B>Alex Rousskov</B> 
+    <A HREF="mailto:squid-dev%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-dev%5D%20forward%20bumped%20traffic%20to%20parent%20in%20plain%20form&In-Reply-To=%3C30a55c20-f80b-4a5f-be94-352a6a567a9c%40measurement-factory.com%3E"
+       TITLE="[squid-dev] forward bumped traffic to parent in plain form">rousskov at measurement-factory.com
+       </A><BR>
+    <I>Thu Mar  5 17:13:26 UTC 2026</I>
+    <P><UL>
+        <LI>Previous message (by thread): <A HREF="009983.html">[squid-dev] forward bumped traffic to parent in plain form
+</A></li>
+        <LI>Next message (by thread): <A HREF="009981.html">[squid-dev] forward bumped traffic to parent in plain form
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#9984">[ date ]</a>
+              <a href="thread.html#9984">[ thread ]</a>
+              <a href="subject.html#9984">[ subject ]</a>
+              <a href="author.html#9984">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On 2026-03-05 04:26, Anthony Pankov wrote:
+&gt;<i> Wednesday, March 4, 2026, 9:43:45 PM, Alex wrote:
+</I>&gt;&gt;<i> On 2026-03-04 11:03, Anthony Pankov wrote:
+</I>&gt;&gt;&gt;<i> I still want to modify squid in such a way that it can forward
+</I>&gt;&gt;&gt;<i> clients http traffic to a parent cache in plain form. I mean after
+</I>&gt;&gt;&gt;<i> bumping ssl (forntend-squid establish tls connection with a client)
+</I>&gt;&gt;&gt;<i> requests from client should goes to parent cache as a plain http (
+</I>&gt;&gt;&gt;<i> GET etc.)
+</I>&gt;<i> 
+</I>&gt;&gt;<i> Let's split this problem into two parts:
+</I>&gt;<i> 
+</I>&gt;&gt;<i> Part 1: Bumping the client.
+</I>&gt;<i> 
+</I>&gt;&gt;<i> Do you want your Squid to bump the TLS client connection without talking to the TLS origin server?
+</I>&gt;<i> Yes, for simplicity.
+</I>&gt;<i> 
+</I>&gt;&gt;<i>   Bugs notwithstanding, that should already be possible using unsupported &quot;ssl_bump client-first all&quot; or,
+</I>&gt;<i> 
+</I>&gt;<i> common conf :
+</I>&gt;<i> 
+</I>&gt;<i> http_port 100.100.100.100:8080 ssl-bump generate-host-certificates=on \
+</I>&gt;<i>    options=CIPHER_SERVER_PREFERENCE,NO_TLSv1,NO_SSLv3,NO_TLSv1_1 \
+</I>&gt;<i>    tls-dh=prime256v1:/usr/local/etc/squid/sq-dhparams.pem \
+</I>&gt;<i>    tls-cert=/usr/local/etc/squid/imc+.ots101.crt \
+</I>&gt;<i>    tls-key=/usr/local/etc/squid/key.ots101-imc.pem \
+</I>&gt;<i>    dynamic_cert_mem_cache_size=10MB
+</I>&gt;<i> 
+</I>&gt;<i> ssl_bump client-first all
+</I>&gt;<i> 
+</I>&gt;<i> There is an error on the client (NO_CIPHER_OVERLAP) and error on squid
+</I>
+OK. It sounds like the TLS client is unhappy with the unsupported 
+client-first mode. Let's forget about that mode and focus on supported ones:
+
+
+&gt;<i> ssl_bump stare ssl_bump_step_1
+</I>&gt;<i> ssl_bump bump all
+</I>&gt;<i> 
+</I>&gt;<i>   I've got in squid-fronted:
+</I>&gt;<i> 
+</I>
+&gt;<i> 2026/03/05 12:15:18.505 kid1| 44,3| peer_select.cc(305) ...
+</I>
+Peer selection is Part 2. Before we get into that, we need to make sure 
+that your Squid can bump the client _without_ getting into FwdState.cc, 
+peer_select.cc, etc. Squid-to-peer logic.
+
+It is not clear to me yet whether bumping the client was successful in 
+the above test. To confirm, please test using an HTTPS client that sends 
+something that does not require Squid-to-peer communication from HTTP 
+point of view. Squid should generate the response internally. The client 
+should successfully get that Squid-generated response.
+
+Here are some suggestions:
+
+1. GET request with an &quot;unsupported-<A HREF="scheme://a.test/">scheme://a.test/</A>&quot; URL.
+2. TRACE request with a &quot;Max-Forwards: 0&quot; header.
+3. Non-HTTP (i.e. unparseable as HTTP) garbage with enough new lines
+    to let Squid find the &quot;end&quot; of &quot;headers&quot;.
+
+For Part 1, your goal is to prove that your HTTPS client successfully 
+communicates with your Squid with zero packets going to peers or origin 
+servers. You can even add a temporary &quot;assert(false)&quot; to 
+FwdState::FwdState() to be reasonably sure.
+
+I hope this goal can be accomplished without Squid source code changes, 
+but I cannot promise that.
+
+
+HTH,
+
+Alex.
+
+
+
+&gt;&gt;<i> Part 2: Forwarding bumped GET requests to cache_peers &quot;as is&quot;, without a second layer of encryption.
+</I>&gt;<i> 
+</I>&gt;&gt;<i> This part depends on Part 1. Let's come back to this after Part 1 is working.
+</I>
+
+</PRE>
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message (by thread): <A HREF="009983.html">[squid-dev] forward bumped traffic to parent in plain form
+</A></li>
+	<LI>Next message (by thread): <A HREF="009981.html">[squid-dev] forward bumped traffic to parent in plain form
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#9984">[ date ]</a>
+              <a href="thread.html#9984">[ thread ]</a>
+              <a href="subject.html#9984">[ subject ]</a>
+              <a href="author.html#9984">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://lists.squid-cache.org/listinfo/squid-dev">More information about the squid-dev
+mailing list</a><br>
+</body></html>

squid-dev/2026-March/author.html

@@ -19,8 +19,8 @@ <h1>March 2026 Archives by author</h1>
                     </a></b></li>
       </ul>
       <p><b>Starting:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Ending:</b> <i>Thu Mar  5 09:26:59 UTC 2026</i><br>
-         <b>Messages:</b> 5<p>
+         <b>Ending:</b> <i>Thu Mar  5 17:13:26 UTC 2026</i><br>
+         <b>Messages:</b> 6<p>
      <ul>
 
 <LI><A HREF="009981.html">[squid-dev] forward bumped traffic to parent in plain form
@@ -46,13 +46,18 @@ <h1>March 2026 Archives by author</h1>
 <LI><A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
 </A><A NAME="9980">&nbsp;</A>
 <I>Alex Rousskov
+</I>
+
+<LI><A HREF="009984.html">[squid-dev] forward bumped traffic to parent in plain form
+</A><A NAME="9984">&nbsp;</A>
+<I>Alex Rousskov
 </I>
 
     </ul>
     <p>
       <a name="end"><b>Last message date:</b></a> 
-       <i>Thu Mar  5 09:26:59 UTC 2026</i><br>
-    <b>Archived on:</b> <i>Thu Mar  5 09:26:50 UTC 2026</i>
+       <i>Thu Mar  5 17:13:26 UTC 2026</i><br>
+    <b>Archived on:</b> <i>Thu Mar  5 17:13:30 UTC 2026</i>
     <p>
    <ul>
          <li> <b>Messages sorted by:</b>

squid-dev/2026-March/date.html

@@ -19,8 +19,8 @@ <h1>March 2026 Archives by date</h1>
                     </a></b></li>
       </ul>
       <p><b>Starting:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Ending:</b> <i>Thu Mar  5 09:26:59 UTC 2026</i><br>
-         <b>Messages:</b> 5<p>
+         <b>Ending:</b> <i>Thu Mar  5 17:13:26 UTC 2026</i><br>
+         <b>Messages:</b> 6<p>
      <ul>
 
 <LI><A HREF="009979.html">[squid-dev] forward bumped traffic to parent in plain form
@@ -46,13 +46,18 @@ <h1>March 2026 Archives by date</h1>
 <LI><A HREF="009983.html">[squid-dev] forward bumped traffic to parent in plain form
 </A><A NAME="9983">&nbsp;</A>
 <I>Anthony Pankov
+</I>
+
+<LI><A HREF="009984.html">[squid-dev] forward bumped traffic to parent in plain form
+</A><A NAME="9984">&nbsp;</A>
+<I>Alex Rousskov
 </I>
 
     </ul>
     <p>
       <a name="end"><b>Last message date:</b></a> 
-       <i>Thu Mar  5 09:26:59 UTC 2026</i><br>
-    <b>Archived on:</b> <i>Thu Mar  5 09:26:50 UTC 2026</i>
+       <i>Thu Mar  5 17:13:26 UTC 2026</i><br>
+    <b>Archived on:</b> <i>Thu Mar  5 17:13:30 UTC 2026</i>
     <p>
    <ul>
          <li> <b>Messages sorted by:</b>