|
| 1 | +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
| 2 | +<HTML> |
| 3 | + <HEAD> |
| 4 | + <TITLE> [squid-users] ssl bump + never_direct |
| 5 | + </TITLE> |
| 6 | + <LINK REL="Index" HREF="index.html" > |
| 7 | + <LINK REL="made" HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20ssl%20bump%20%2B%20never_direct&In-Reply-To=%3C4a108d22-184a-4728-a3f3-df47a37045e5%40measurement-factory.com%3E"> |
| 8 | + <META NAME="robots" CONTENT="index,nofollow"> |
| 9 | + <style type="text/css"> |
| 10 | + pre { |
| 11 | + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ |
| 12 | + } |
| 13 | + </style> |
| 14 | + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> |
| 15 | + <LINK REL="Previous" HREF="027783.html"> |
| 16 | + |
| 17 | + </HEAD> |
| 18 | + <BODY BGCOLOR="#ffffff"> |
| 19 | + <H1>[squid-users] ssl bump + never_direct</H1> |
| 20 | + <B>Alex Rousskov</B> |
| 21 | + <A HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20ssl%20bump%20%2B%20never_direct&In-Reply-To=%3C4a108d22-184a-4728-a3f3-df47a37045e5%40measurement-factory.com%3E" |
| 22 | + TITLE="[squid-users] ssl bump + never_direct">rousskov at measurement-factory.com |
| 23 | + </A><BR> |
| 24 | + <I>Tue Jan 27 18:37:00 UTC 2026</I> |
| 25 | + <P><UL> |
| 26 | + <LI>Previous message (by thread): <A HREF="027783.html">[squid-users] ssl bump + never_direct |
| 27 | +</A></li> |
| 28 | + |
| 29 | + <LI> <B>Messages sorted by:</B> |
| 30 | + <a href="date.html#27784">[ date ]</a> |
| 31 | + <a href="thread.html#27784">[ thread ]</a> |
| 32 | + <a href="subject.html#27784">[ subject ]</a> |
| 33 | + <a href="author.html#27784">[ author ]</a> |
| 34 | + </LI> |
| 35 | + </UL> |
| 36 | + <HR> |
| 37 | +<!--beginarticle--> |
| 38 | +<PRE>On 2026-01-27 09:36, Anthony Pankov wrote: |
| 39 | +><i> Tuesday, January 27, 2026, 4:58:34 PM, you wrote: |
| 40 | +</I>><i> |
| 41 | +</I>>><i> On 2026-01-27 06:46, Anthony Pankov wrote: |
| 42 | +</I>><i> |
| 43 | +</I>>>><i> I'm wandering is it possible and what the logic will be if configure |
| 44 | +</I>>>><i> squid for ssl bumping and to always go to cache_peer (never direct) |
| 45 | +</I>>>><i> at the same time? |
| 46 | +</I>><i> |
| 47 | +</I>>><i> Squid does not support "TLS inside TLS" yet, resulting in the following three possible use cases/answers: |
| 48 | +</I>><i> |
| 49 | +</I>>><i> Bugs notwithstanding, bumping client traffic while talking to a cache_peer |
| 50 | +</I>><i> |
| 51 | +</I>>><i> * ... should be possible if that cache_peer listens for plain text HTTP connections (e.g., cache_peer is a Squid instance listening on an http_port). Just configure Squid to always go to that cache_peer (see never_direct directive documentation). When forwarding bumped traffic, Squid will send a plain text CONNECT request to that cache_peer (and forward TLS traffic inside that CONNECT tunnel). |
| 52 | +</I> |
| 53 | +><i> I'm mostly interesting about SSLBump steps. Its include "Get TLS Server Hello info from the server, including the server certificate" [<A HREF="https://wiki.squid-cache.org/Features/SslPeekAndSplice">https://wiki.squid-cache.org/Features/SslPeekAndSplice</A>]. |
| 54 | +</I>><i> Does squid will go to origin server in a Bump step for "Server hello" despite the never_direct configuration? |
| 55 | +</I> |
| 56 | +Short answer: "Yes". |
| 57 | + |
| 58 | +At TCP level, Squid will connect to the cache_peer and ask that |
| 59 | +cache_peer to connect to the origin server, creating a TCP tunnel. At |
| 60 | +TLS level, Squid will be talking to the TLS origin server (using that |
| 61 | +TCP tunnel through the cache_peer). |
| 62 | + |
| 63 | + |
| 64 | +HTH, |
| 65 | + |
| 66 | +Alex. |
| 67 | + |
| 68 | + |
| 69 | + |
| 70 | +>><i> * ... may also be possible if that cache_peer is an originserver peer that listens for TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in "accel" mode). I am not sure whether Squid has enough code to handle this configuration. Same never_direct configuration approach would apply here. When forwarding bumped traffic, Squid will open a TLS connection to that cache_peer. |
| 71 | +</I>><i> |
| 72 | +</I>>><i> * ... is not possible if that cache_peer is a proxy that listens for TLS connections (e.g., cache_peer is a Squid instance listening on an https_port in the default forward proxy mode). |
| 73 | +</I>><i> |
| 74 | +</I>><i> |
| 75 | +</I>>><i> HTH, |
| 76 | +</I>><i> |
| 77 | +</I>>><i> Alex. |
| 78 | +</I>>><i> P.S. "Peering support for SslBump" functionality was added in Squid v5, but you should use Squid v7+. |
| 79 | +</I>><i> |
| 80 | +</I>>><i> _______________________________________________ |
| 81 | +</I>>><i> squid-users mailing list |
| 82 | +</I>>><i> <A HREF="https://lists.squid-cache.org/listinfo/squid-users">squid-users at lists.squid-cache.org</A> |
| 83 | +</I>>><i> <A HREF="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</A> |
| 84 | +</I>><i> |
| 85 | +</I>><i> |
| 86 | +</I> |
| 87 | +</PRE> |
| 88 | + |
| 89 | +<!--endarticle--> |
| 90 | + <HR> |
| 91 | + <P><UL> |
| 92 | + <!--threads--> |
| 93 | + <LI>Previous message (by thread): <A HREF="027783.html">[squid-users] ssl bump + never_direct |
| 94 | +</A></li> |
| 95 | + |
| 96 | + <LI> <B>Messages sorted by:</B> |
| 97 | + <a href="date.html#27784">[ date ]</a> |
| 98 | + <a href="thread.html#27784">[ thread ]</a> |
| 99 | + <a href="subject.html#27784">[ subject ]</a> |
| 100 | + <a href="author.html#27784">[ author ]</a> |
| 101 | + </LI> |
| 102 | + </UL> |
| 103 | + |
| 104 | +<hr> |
| 105 | +<a href="https://lists.squid-cache.org/listinfo/squid-users">More information about the squid-users |
| 106 | +mailing list</a><br> |
| 107 | +</body></html> |
0 commit comments