2026-03-05

Author: squidadm

squid-dev/2026-March.txt

@@ -29,3 +29,65 @@ Best regards,
  Anthony                          mailto:anthony.pankov at yahoo.com
 
 
+From rousskov at measurement-factory.com  Wed Mar  4 18:43:45 2026
+From: rousskov at measurement-factory.com (Alex Rousskov)
+Date: Wed, 4 Mar 2026 13:43:45 -0500
+Subject: [squid-dev] forward bumped traffic to parent in plain form
+In-Reply-To: <1985119311.20260304190328@yahoo.com>
+References: <1985119311.20260304190328.ref@yahoo.com>
+ <1985119311.20260304190328@yahoo.com>
+Message-ID: <70faedf9-2e5d-4934-b837-874940f81a4b@measurement-factory.com>
+
+On 2026-03-04 11:03, Anthony Pankov wrote:
+
+> I still want to modify squid in such a way that it can forward
+> clients http traffic to a parent cache in plain form. I mean after
+> bumping ssl (forntend-squid establish tls connection with a client)
+> requests from client should goes to parent cache as a plain http (
+> GET etc.)
+
+Let's split this problem into two parts:
+
+Part 1: Bumping the client.
+
+Do you want your Squid to bump the TLS client connection without talking 
+to the TLS origin server? Bugs notwithstanding, that should already be 
+possible using unsupported "ssl_bump client-first all" or, after 
+defining step1,
+
+     ssl_bump stare step1
+     ssl_bump bump all
+
+Or does the client need to see something from the TLS origin server 
+certificate to work correctly? In that case, you have to use something 
+like "ssl_bump stare all" but it will complicate Part 2 changes.
+
+
+Part 2: Forwarding bumped GET requests to cache_peers "as is", without a 
+second layer of encryption.
+
+This part depends on Part 1. Let's come back to this after Part 1 is 
+working.
+
+
+HTH,
+
+Alex.
+
+
+> Connection between squids servers is already encrypted so I don't need any additional tls(security) layer.
+> 
+> Also, for simplification, I assume never_direct directive for this traffic on a front-end.
+> I understand that it will preclude any checks for origin server certificate but this is not a problem because policy for origin may be applied in a parent cache.
+> 
+> I tried to modify FwdState::noteConnection to avoid establishTunnelThruProxy() and FwdState::secureConnectionToPeerIfNeeded  to avoid secureConnectionToPeer() but has no lack.
+> 
+> They use request.flags  sslBumped and sslPeek that I do not fully understand. sslPeek described as "internal ssl-bump request to get server cert" but it always True when I'm in noteConnection.
+> 
+> Also I noted  async SslBumpEstablish which call switchToHttps. Because of asyncs I can't fully understand where I can preclude switching connections to parent cache to "CONNECT" mode rather than using it plain.
+> 
+> Any help would be appreciated.
+> 
+> 
+
+

squid-dev/2026-March/009979.html

@@ -13,7 +13,7 @@
    </style>
    <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
 
-   
+   <LINK REL="Next"  HREF="009980.html">
  </HEAD>
  <BODY BGCOLOR="#ffffff">
    <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
@@ -24,7 +24,8 @@ <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
     <I>Wed Mar  4 16:03:28 UTC 2026</I>
     <P><UL>
 
-        
+        <LI>Next message (by thread): <A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
+</A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#9979">[ date ]</a>
               <a href="thread.html#9979">[ thread ]</a>
@@ -59,12 +60,14 @@ <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
 
 </PRE>
 
+
 <!--endarticle-->
     <HR>
     <P><UL>
         <!--threads-->
 
-	
+	<LI>Next message (by thread): <A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
+</A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#9979">[ date ]</a>
               <a href="thread.html#9979">[ thread ]</a>

squid-dev/2026-March/009980.html

@@ -0,0 +1,110 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [squid-dev] forward bumped traffic to parent in plain form
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:squid-dev%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-dev%5D%20forward%20bumped%20traffic%20to%20parent%20in%20plain%20form&In-Reply-To=%3C70faedf9-2e5d-4934-b837-874940f81a4b%40measurement-factory.com%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <style type="text/css">
+       pre {
+           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
+           }
+   </style>
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="009979.html">
+   
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[squid-dev] forward bumped traffic to parent in plain form</H1>
+    <B>Alex Rousskov</B> 
+    <A HREF="mailto:squid-dev%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-dev%5D%20forward%20bumped%20traffic%20to%20parent%20in%20plain%20form&In-Reply-To=%3C70faedf9-2e5d-4934-b837-874940f81a4b%40measurement-factory.com%3E"
+       TITLE="[squid-dev] forward bumped traffic to parent in plain form">rousskov at measurement-factory.com
+       </A><BR>
+    <I>Wed Mar  4 18:43:45 UTC 2026</I>
+    <P><UL>
+        <LI>Previous message (by thread): <A HREF="009979.html">[squid-dev] forward bumped traffic to parent in plain form
+</A></li>
+        
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#9980">[ date ]</a>
+              <a href="thread.html#9980">[ thread ]</a>
+              <a href="subject.html#9980">[ subject ]</a>
+              <a href="author.html#9980">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On 2026-03-04 11:03, Anthony Pankov wrote:
+
+&gt;<i> I still want to modify squid in such a way that it can forward
+</I>&gt;<i> clients http traffic to a parent cache in plain form. I mean after
+</I>&gt;<i> bumping ssl (forntend-squid establish tls connection with a client)
+</I>&gt;<i> requests from client should goes to parent cache as a plain http (
+</I>&gt;<i> GET etc.)
+</I>
+Let's split this problem into two parts:
+
+Part 1: Bumping the client.
+
+Do you want your Squid to bump the TLS client connection without talking 
+to the TLS origin server? Bugs notwithstanding, that should already be 
+possible using unsupported &quot;ssl_bump client-first all&quot; or, after 
+defining step1,
+
+     ssl_bump stare step1
+     ssl_bump bump all
+
+Or does the client need to see something from the TLS origin server 
+certificate to work correctly? In that case, you have to use something 
+like &quot;ssl_bump stare all&quot; but it will complicate Part 2 changes.
+
+
+Part 2: Forwarding bumped GET requests to cache_peers &quot;as is&quot;, without a 
+second layer of encryption.
+
+This part depends on Part 1. Let's come back to this after Part 1 is 
+working.
+
+
+HTH,
+
+Alex.
+
+
+&gt;<i> Connection between squids servers is already encrypted so I don't need any additional tls(security) layer.
+</I>&gt;<i> 
+</I>&gt;<i> Also, for simplification, I assume never_direct directive for this traffic on a front-end.
+</I>&gt;<i> I understand that it will preclude any checks for origin server certificate but this is not a problem because policy for origin may be applied in a parent cache.
+</I>&gt;<i> 
+</I>&gt;<i> I tried to modify FwdState::noteConnection to avoid establishTunnelThruProxy() and FwdState::secureConnectionToPeerIfNeeded  to avoid secureConnectionToPeer() but has no lack.
+</I>&gt;<i> 
+</I>&gt;<i> They use request.flags  sslBumped and sslPeek that I do not fully understand. sslPeek described as &quot;internal ssl-bump request to get server cert&quot; but it always True when I'm in noteConnection.
+</I>&gt;<i> 
+</I>&gt;<i> Also I noted  async SslBumpEstablish which call switchToHttps. Because of asyncs I can't fully understand where I can preclude switching connections to parent cache to &quot;CONNECT&quot; mode rather than using it plain.
+</I>&gt;<i> 
+</I>&gt;<i> Any help would be appreciated.
+</I>&gt;<i> 
+</I>&gt;<i> 
+</I>
+</PRE>
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message (by thread): <A HREF="009979.html">[squid-dev] forward bumped traffic to parent in plain form
+</A></li>
+	
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#9980">[ date ]</a>
+              <a href="thread.html#9980">[ thread ]</a>
+              <a href="subject.html#9980">[ subject ]</a>
+              <a href="author.html#9980">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://lists.squid-cache.org/listinfo/squid-dev">More information about the squid-dev
+mailing list</a><br>
+</body></html>

squid-dev/2026-March/author.html

@@ -19,20 +19,25 @@ <h1>March 2026 Archives by author</h1>
                     </a></b></li>
       </ul>
       <p><b>Starting:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Ending:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Messages:</b> 1<p>
+         <b>Ending:</b> <i>Wed Mar  4 18:43:45 UTC 2026</i><br>
+         <b>Messages:</b> 2<p>
      <ul>
 
 <LI><A HREF="009979.html">[squid-dev] forward bumped traffic to parent in plain form
 </A><A NAME="9979">&nbsp;</A>
 <I>Anthony Pankov
+</I>
+
+<LI><A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
+</A><A NAME="9980">&nbsp;</A>
+<I>Alex Rousskov
 </I>
 
     </ul>
     <p>
       <a name="end"><b>Last message date:</b></a> 
-       <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-    <b>Archived on:</b> <i>Wed Mar  4 16:03:19 UTC 2026</i>
+       <i>Wed Mar  4 18:43:45 UTC 2026</i><br>
+    <b>Archived on:</b> <i>Wed Mar  4 18:43:48 UTC 2026</i>
     <p>
    <ul>
          <li> <b>Messages sorted by:</b>

squid-dev/2026-March/date.html

@@ -19,20 +19,25 @@ <h1>March 2026 Archives by date</h1>
                     </a></b></li>
       </ul>
       <p><b>Starting:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Ending:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Messages:</b> 1<p>
+         <b>Ending:</b> <i>Wed Mar  4 18:43:45 UTC 2026</i><br>
+         <b>Messages:</b> 2<p>
      <ul>
 
 <LI><A HREF="009979.html">[squid-dev] forward bumped traffic to parent in plain form
 </A><A NAME="9979">&nbsp;</A>
 <I>Anthony Pankov
+</I>
+
+<LI><A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
+</A><A NAME="9980">&nbsp;</A>
+<I>Alex Rousskov
 </I>
 
     </ul>
     <p>
       <a name="end"><b>Last message date:</b></a> 
-       <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-    <b>Archived on:</b> <i>Wed Mar  4 16:03:19 UTC 2026</i>
+       <i>Wed Mar  4 18:43:45 UTC 2026</i><br>
+    <b>Archived on:</b> <i>Wed Mar  4 18:43:48 UTC 2026</i>
     <p>
    <ul>
          <li> <b>Messages sorted by:</b>

squid-dev/2026-March/subject.html

@@ -19,20 +19,25 @@ <h1>March 2026 Archives by subject</h1>
                     </a></b></li>
       </ul>
       <p><b>Starting:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Ending:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Messages:</b> 1<p>
+         <b>Ending:</b> <i>Wed Mar  4 18:43:45 UTC 2026</i><br>
+         <b>Messages:</b> 2<p>
      <ul>
 
 <LI><A HREF="009979.html">[squid-dev] forward bumped traffic to parent in plain form
 </A><A NAME="9979">&nbsp;</A>
 <I>Anthony Pankov
+</I>
+
+<LI><A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
+</A><A NAME="9980">&nbsp;</A>
+<I>Alex Rousskov
 </I>
 
     </ul>
     <p>
       <a name="end"><b>Last message date:</b></a> 
-       <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-    <b>Archived on:</b> <i>Wed Mar  4 16:03:19 UTC 2026</i>
+       <i>Wed Mar  4 18:43:45 UTC 2026</i><br>
+    <b>Archived on:</b> <i>Wed Mar  4 18:43:48 UTC 2026</i>
     <p>
    <ul>
          <li> <b>Messages sorted by:</b>

squid-dev/2026-March/thread.html

@@ -19,8 +19,8 @@ <h1>March 2026 Archives by thread</h1>
                     </a></b></li>
       </ul>
       <p><b>Starting:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Ending:</b> <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-         <b>Messages:</b> 1<p>
+         <b>Ending:</b> <i>Wed Mar  4 18:43:45 UTC 2026</i><br>
+         <b>Messages:</b> 2<p>
      <ul>
 
 <!--0 01772640208.9979- -->
@@ -29,11 +29,19 @@ <h1>March 2026 Archives by thread</h1>
 <I>Anthony Pankov
 </I>
 
+<UL>
+<!--1 01772640208.9979-01772649825.9980- -->
+<LI><A HREF="009980.html">[squid-dev] forward bumped traffic to parent in plain form
+</A><A NAME="9980">&nbsp;</A>
+<I>Alex Rousskov
+</I>
+
+</UL>
     </ul>
     <p>
       <a name="end"><b>Last message date:</b></a> 
-       <i>Wed Mar  4 16:03:28 UTC 2026</i><br>
-    <b>Archived on:</b> <i>Wed Mar  4 16:03:19 UTC 2026</i>
+       <i>Wed Mar  4 18:43:45 UTC 2026</i><br>
+    <b>Archived on:</b> <i>Wed Mar  4 18:43:48 UTC 2026</i>
     <p>
    <ul>
          <li> <b>Messages sorted by:</b>

squid-dev/index.html

@@ -25,7 +25,7 @@ <h1>The squid-dev Archives </h1>
               <A href="2026-March/author.html">[ Author ]</a>
               <A href="2026-March/date.html">[ Date ]</a>
             </td>
-            <td><A href="2026-March.txt">[ Text 1 KB ]</a></td>
+            <td><A href="2026-March.txt">[ Text 4 KB ]</a></td>
             </tr>