This option is consulted when a CONNECT request is received on
	an http_port (or a new connection is intercepted at an
	https_port), provided that port was configured with an ssl-bump
	flag. The subsequent data on the connection is either treated as
	HTTPS and decrypted OR tunneled at TCP level without decryption,
	depending on the first bumping "mode" which ACLs match.

	ssl_bump <mode> [!]acl ...

	The following bumping modes are supported:

	    client-first
		Allow bumping of the connection. Establish a secure connection
		with the client first, then connect to the server. This old mode
		does not allow Squid to mimic server SSL certificate and does
		not work with intercepted SSL connections.

	    server-first
		Allow bumping of the connection. Establish a secure connection
		with the server first, then establish a secure connection with
		the client, using a mimicked server certificate. Works with both
		CONNECT requests and intercepted SSL connections.

	    none
		Become a TCP tunnel without decoding the connection.
		Works with both CONNECT requests and intercepted SSL
		connections. This is the default behavior when no
		ssl_bump option is given or no ssl_bump ACLs match.

	By default, no connections are bumped.

	The first matching ssl_bump option wins. If no ACLs match, the
	connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump
	does not have an implicit "negate the last given option" rule. You
	must make that rule explicit if you convert old ssl_bump allow/deny
	rules that rely on such an implicit rule.

	This clause supports both fast and slow acl types.
	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

	See also: http_port ssl-bump, https_port ssl-bump


	# Example: Bump all requests except those originating from
	# localhost or those going to example.com.

	acl broken_sites dstdomain .example.com
	ssl_bump none localhost
	ssl_bump none broken_sites
	ssl_bump server-first all