@@ -788,3 +788,281 @@ Best regards,
788788 Anthony mailto:anthony.pankov at yahoo.com
789789
790790
791+ From rousskov at measurement-factory.com Thu Apr 16 13:15:12 2026
792+ From: rousskov at measurement-factory.com (Alex Rousskov)
793+ Date: Thu, 16 Apr 2026 09:15:12 -0400
794+ Subject: [squid-dev] forward bumped traffic to parent in plain form
795+ In-Reply-To: <735280386.20260416144121@yahoo.com>
796+ References: <1985119311.20260304190328.ref@yahoo.com>
797+ <38965228.20260306181359@yahoo.com>
798+ <a87212b4-41bb-4d03-95cf-cb4704d45897@measurement-factory.com>
799+ <1736177688.20260308131738@yahoo.com>
800+ <878e2ea7-2dda-410a-8bdf-1fabd429315e@measurement-factory.com>
801+ <991408460.20260310135102@yahoo.com>
802+ <f867539b-0550-43c6-9aa0-d74e8758cea6@measurement-factory.com>
803+ <1493984953.20260310175054@yahoo.com>
804+ <a728e3a6-ccc6-401d-bef4-355526f16f9a@measurement-factory.com>
805+ <803480691.20260326151406@yahoo.com>
806+ <50390f1b-105f-4384-ba35-b6a9e37a7684@measurement-factory.com>
807+ <1332811842.20260331193229@yahoo.com>
808+ <63b3703d-c87a-47ef-9e26-98b0ed4e4d18@measurement-factory.com>
809+ <1832116129.20260403142017@yahoo.com>
810+ <7785cda9-25eb-4eb7-bac7-0d5d6b82a4ad@measurement-factory.com>
811+ <532105899.20260407175513@yahoo.com>
812+ <06d7a5ac-f453-42c1-9031-8b7fb1110deb@measurement-factory.com>
813+ <197778323.20260414142308@yahoo.com>
814+ <335dc223-7353-4d06-8033-382ccfc8eb57@measurement-factory.com>
815+ <735280386.20260416144121@yahoo.com>
816+ Message-ID: <5d1dc7a9-141b-40c8-a401-74efef34488c@measurement-factory.com>
817+
818+ On 2026-04-16 07:41, Anthony Pankov wrote:
819+
820+ >> Alex: AFAICT, according to SslPeekAndSplice, after step1, Squid interprets "bump" as
821+ >> * "talk to the server and then respond to the client" rather than
822+ >> * "respond to the client and then talk to the server".
823+
824+
825+ > If a bump after step1 defined as "talk to the server and then respond
826+ > to the client" consequently Squid should not allow any "client-first"
827+ > modes.
828+
829+ Today, Squid probably does not support "respond to the client and then
830+ talk to the server" behavior after step1. Assuming that is true:
831+
832+ * That current code state does not imply that Squid "should not" support
833+ such behavior in the future.
834+
835+ * It implies that if Squid gains such support in the future, then that
836+ support is likely to require changes in how Squid configuration is
837+ interpreted, probably either by adding new actions (to preserve behavior
838+ of existing deployments) or allowing the existing "client-first" action
839+ beyond step1 (with a risk of breaking a few existing deployments that
840+ still use that currently deprecated action).
841+
842+ Since I assume that the behavior you need does not match any existing
843+ configuration, I recommended hard-coding the new behavior as the next
844+ development step, and then, if you want to make those tested/working
845+ changes official, discussing how to make those hard-coded changes
846+ configurable. Alternatively, you can make all those configuration
847+ decisions upfront, making collaboration more difficult and increasing
848+ the risk that your configuration changes will be misunderstood and/or
849+ rejected.
850+
851+ Alex.
852+
853+ > Otherwise term "bump" in configuration must be redefined or have to
854+ > be interpreted conditionally.
855+
856+
857+
858+ From rousskov at measurement-factory.com Thu Apr 16 13:45:40 2026
859+ From: rousskov at measurement-factory.com (Alex Rousskov)
860+ Date: Thu, 16 Apr 2026 09:45:40 -0400
861+ Subject: [squid-dev] form PROXY header for cache_peer requests
862+ In-Reply-To: <17170699.20260416145102@yahoo.com>
863+ References: <17170699.20260416145102.ref@yahoo.com>
864+ <17170699.20260416145102@yahoo.com>
865+ Message-ID: <06a06168-f7ac-43c5-8793-ad295886cefc@measurement-factory.com>
866+
867+ On 2026-04-16 07:51, Anthony Pankov wrote:
868+
869+ > I didn't find how to instruct Squid to form PROXY header for request
870+ > going to parent cache_peer.
871+
872+
873+ Official Squid code does not support PROXY protocol on cache_peer
874+ connections. Factory has implemented the required changes, but the
875+ corresponding proxy_protocol_outgoing feature is currently stuck in
876+ Squid Project backlog. Squid core developers cannot find a way to
877+ collaborate on clearing that growing backlog, so there is no ETA.
878+
879+
880+ > AI said: ... proxy-out option ...
881+ There is no such option. FWIW, I have quoted current unofficial/draft
882+ documentation of the backlogged proxy_protocol_outgoing feature below.
883+
884+
885+ HTH,
886+
887+ Alex.
888+
889+ > proxy_protocol_outgoing
890+ >
891+ > Determines which Squid-to-peer connections start with a PROXY protocol
892+ > header and defines the composition of the PROXY protocol header sent.
893+ >
894+ > proxy_protocol_outgoing <header-field>... [if [!]<acl>...]
895+ >
896+ > Squid makes the first decision to send a PROXY protocol header before
897+ > selecting the next forwarding hop for the request. Thus, at the
898+ > decision-making time, the origin server hostname is known, but the next
899+ > hop details (e.g., cache_peer name and source/destination IP addresses of
900+ > a Squid-to-peer connection) are unknown. The decision is remade every time
901+ > Squid has to reforward the request to a different hop (e.g., another
902+ > cache_peer).
903+ >
904+ > When deciding, Squid checks proxy_protocol_outgoing directives in their
905+ > configuration order. After an `if` clause matches, the corresponding PROXY
906+ > protocol header configuration is used and no further directives are
907+ > checked. A directive without the optional `if` clause always matches when
908+ > checked. If no directives match, a PROXY protocol header is not sent.
909+ >
910+ > For now, Squid only sends PROXY protocol v2 headers.
911+ >
912+ > For now, Squid does not reuse idle persistent connections for
913+ > transactions matching a proxy_protocol_outgoing rule. In other words,
914+ > a proxy_protocol_outgoing match guarantees that Squid will open a
915+ > fresh connection to the peer even when there are suitable idle
916+ > persistent connections available for communicating with that peer. >
917+ > For now, PROXY protocol header is sent unencrypted, even for
918+ > connections to TLS origin servers and cache_peers with "tls" option.
919+ > This allows some network services to extract PROXY protocol header
920+ > information before switching to forwarding of encrypted bytes. Future
921+ > enhancements may support optional encryption of PROXY protocol bytes.
922+ >
923+ > Depending on request routing rules, it may be difficult to configure Squid
924+ > to send different PROXY protocol headers to different cache_peers because
925+ > forwarding route selection happens after PROXY protocol header generation.
926+ > To accommodate more use cases, we may have to delay PROXY protocol
927+ > header-generation/sending decision until after the next hop selection.
928+ >
929+ > When opening a CONNECT tunnel through a cache_peer, Squid sends the
930+ > PROXY protocol header before sending CONNECT request. PROXY protocol
931+ > header bytes and CONNECT request header bytes may share the same TCP
932+ > packet.
933+ >
934+ > Normally, Squid sends a "PROXY" command, but when sending a request
935+ > generated internally by Squid (instead of forwarding a request received
936+ > from a client), Squid sends a "LOCAL" command and ignores (i.e. does not
937+ >
938+ > TLV values as opaque strings. A configured logformat value of "-" and an
939+ > evaluated format value of "-" are not treated specially -- Squid sends a
940+ > TLV field with a dash value.
941+ >
942+ > Squid failure to "compile" a configured TLV format specification is a
943+ > fatal configuration error (e.g., 239="%"). If a TLV value cannot be
944+ > computed at header construction time or the computed value exceeds 65535
945+ > bytes in length, Squid does not send the affected field and records a
946+ > level-1 WARNING to cache.log.
947+ >
948+ > Squid does not yet support sending well-known TLVs like PP2_TYPE_CRC32C.
949+ >
950+ > Optional TLVs are sent in the order they are specified by this directive.
951+ > Using one TLV type multiple times is allowed, but identical (at
952+ > configuration interpretation time, before logformat %code substitution)
953+ > type=value entries lead to fatal configuration errors.
954+ >
955+ > Details that apply to both address block fields and TLVs:
956+ >
957+ > Header field values (i.e. logformat format specifications) must be quoted
958+ > using "double quotes". Squid removes quotes before using the quoted value.
959+ >
960+ > Logformat evaluation is subject to log_uses_indirect_client directive. In
961+ > most cases, Squid-to-peer connection and response-related details are not
962+ > available during this evaluation because Squid has not opened the
963+ > corresponding connection to the peer yet.
964+ >
965+ > Example:
966+ >
967+ > acl toPeerThatExpectsConnectionTags dstdomain -n example.com
968+ > proxy_protocol_outgoing \
969+ > src_addr="%>a" \
970+ > dst_addr="::" \
971+ > src_port="%>p" \
972+ > dst_port="-" \
973+ > 224="%proxy_protocol::>h{224}" \
974+ > 225="%note{myConnectionTag_}" \
975+ > 239="" \
976+ > if toPeerThatExpectsConnectionTags
977+ >
978+ > This clause only supports fast acl types.
979+ > See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
980+
981+
982+ From anthony.pankov at yahoo.com Thu Apr 16 14:23:56 2026
983+ From: anthony.pankov at yahoo.com (Anthony Pankov)
984+ Date: Thu, 16 Apr 2026 17:23:56 +0300
985+ Subject: [squid-dev] form PROXY header for cache_peer requests
986+ In-Reply-To: <06a06168-f7ac-43c5-8793-ad295886cefc@measurement-factory.com>
987+ References: <17170699.20260416145102.ref@yahoo.com>
988+ <17170699.20260416145102@yahoo.com>
989+ <06a06168-f7ac-43c5-8793-ad295886cefc@measurement-factory.com>
990+ Message-ID: <1187431767.20260416172356@yahoo.com>
991+
992+ Thursday, April 16, 2026, 4:45:40 PM, you wrote:
993+
994+ > On 2026-04-16 07:51, Anthony Pankov wrote:
995+
996+ >> I didn't find how to instruct Squid to form PROXY header for request
997+ >> going to parent cache_peer.
998+
999+
1000+ > Official Squid code does not support PROXY protocol on cache_peer connections. Factory has implemented the required changes, but the corresponding proxy_protocol_outgoing feature is currently stuck in Squid Project backlog. Squid core developers cannot find a way to collaborate on clearing that growing backlog, so there is no ETA.
1001+
1002+ Is it somewhere in pull requests?
1003+
1004+
1005+
1006+ --
1007+ Best regards,
1008+ Anthony
1009+
1010+
1011+ From anthony.pankov at yahoo.com Thu Apr 16 14:36:29 2026
1012+ From: anthony.pankov at yahoo.com (Anthony Pankov)
1013+ Date: Thu, 16 Apr 2026 17:36:29 +0300
1014+ Subject: [squid-dev] forward bumped traffic to parent in plain form
1015+ In-Reply-To: <5d1dc7a9-141b-40c8-a401-74efef34488c@measurement-factory.com>
1016+ References: <1985119311.20260304190328.ref@yahoo.com>
1017+ <38965228.20260306181359@yahoo.com>
1018+ <a87212b4-41bb-4d03-95cf-cb4704d45897@measurement-factory.com>
1019+ <1736177688.20260308131738@yahoo.com>
1020+ <878e2ea7-2dda-410a-8bdf-1fabd429315e@measurement-factory.com>
1021+ <991408460.20260310135102@yahoo.com>
1022+ <f867539b-0550-43c6-9aa0-d74e8758cea6@measurement-factory.com>
1023+ <1493984953.20260310175054@yahoo.com>
1024+ <a728e3a6-ccc6-401d-bef4-355526f16f9a@measurement-factory.com>
1025+ <803480691.20260326151406@yahoo.com>
1026+ <50390f1b-105f-4384-ba35-b6a9e37a7684@measurement-factory.com>
1027+ <1332811842.20260331193229@yahoo.com>
1028+ <63b3703d-c87a-47ef-9e26-98b0ed4e4d18@measurement-factory.com>
1029+ <1832116129.20260403142017@yahoo.com>
1030+ <7785cda9-25eb-4eb7-bac7-0d5d6b82a4ad@measurement-factory.com>
1031+ <532105899.20260407175513@yahoo.com>
1032+ <06d7a5ac-f453-42c1-9031-8b7fb1110deb@measurement-factory.com>
1033+ <197778323.20260414142308@yahoo.com>
1034+ <335dc223-7353-4d06-8033-382ccfc8eb57@measurement-factory.com>
1035+ <735280386.20260416144121@yahoo.com>
1036+ <5d1dc7a9-141b-40c8-a401-74efef34488c@measurement-factory.com>
1037+ Message-ID: <190674630.20260416173629@yahoo.com>
1038+
1039+ Hello Alex,
1040+
1041+ Thursday, April 16, 2026, 4:15:12 PM, you wrote:
1042+
1043+ > On 2026-04-16 07:41, Anthony Pankov wrote:
1044+
1045+ >>> Alex: AFAICT, according to SslPeekAndSplice, after step1, Squid interprets "bump" as
1046+ >>> * "talk to the server and then respond to the client" rather than
1047+ >>> * "respond to the client and then talk to the server".
1048+
1049+
1050+ >> If a bump after step1 defined as "talk to the server and then respond
1051+ >> to the client" consequently Squid should not allow any "client-first"
1052+ >> modes.
1053+
1054+ > Today, Squid probably does not support "respond to the client and then talk to the server" behavior after step1. Assuming that is true:
1055+
1056+ > * That current code state does not imply that Squid "should not" support such behavior in the future.
1057+
1058+ > * It implies that if Squid gains such support in the future, then that support is likely to require changes in how Squid configuration is interpreted, probably either by adding new actions (to preserve behavior of existing deployments) or allowing the existing "client-first" action beyond step1 (with a risk of breaking a few existing deployments that still use that currently deprecated action).
1059+
1060+ Why I was asking was to know is there any roadmap for introducing new actions or modifying configuration interpretation to do my changes accordingly.
1061+ But, OK, I understood.
1062+
1063+
1064+ --
1065+ Best regards,
1066+ Anthony
1067+
1068+
0 commit comments