On 9/06/2015 7:15 p.m., Rafael Akchurin wrote: > Hi Amos, > > <snip> > >> There seems to be a bit of a myth going around about how HAProxy does >> load balancing. HAProxy is an HTTP layer proxy. Just like Squid. >> >> They both do the same things to received TCP connections. But HAProxy >> supports less HTTP features, so its somewhat simpler processing is also >> a bit faster when you want it to be a semi-dumb load balancer. > >> We are somewhat recently added basic support for the PROXY protocol to Squid. >> So HAProxy can relay port 80 connections to Squid-3.5+ without >> processing them fully. However Squid does not yet support that on >> https_port, which means the TLS connections still wont have client IP >> details passed through. > > So what would be your proposition for the case of SSL Bump? > How to get the connecting client IP and authenticated user name passed to the ICAP server when a cluster of squids somehow getting the CONNECT tunnel established? > > Assume we left away the haproxy and rely solely on squid - how would you approach this and how many instances of squid would you deploy? > > From my limited knowledge the FQDN proxy name being resolved to a number of IP addresses running one squid per IP address is the simplest approach. > Yes, it would seem to be the only form which meets all your criteria too. Everything else runs up against the HTTPS brick wall. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
