Thanks for the quick reply. I want to explain my question further.
Consider C1 and S1 connections were created for a HTTPs connection using ssl-bump. C1 has been served and closed from the client side.
Now, the client initiates another HTTPS connection, C2. Since, persistent connection is enabled, expectation is to see that S1 gets re-used.
Behaviour seen now is that S2 gets created and a handshake ensues between squid and server. After ~30seconds, S1 is re-used to serve the
request C2. Persistence seems to work since S1 is re-used. However, why was S2 initiated and why was S1 re-used after ~30seconds?
PFA: pcap file and the squid.conf
On 07/02/2018 05:34 PM, Vishali Somaskanthan wrote:
> I am trying out SSL Bump for my connections from Squid to server and
> trying to put along server persistent connections as well. I would like
> to know how squid behaves with both of these turned on??
In modern Squids, all(*) bumped SSL client HTTP requests (from client
connection C) should use the corresponding bumped connection to the
server (S). After the first HTTP request, if more requests arrive on
connection C, and they are all regular/basic requests, then they can all
go through connection S. Once HTTP rules, timeouts, or other factors
prohibit connection S or connection C reuse, Squid should close both
connections.
Please note that I do not know whether Squid correctly forces all(*)
HTTP requests on connection C to connection S, but it should. If it does
not, file a bug report. Same for closing connection C when connection S
becomes unusable.
> I see info in the squid wiki page that SSL Bump creates fake CONNECT
> requests and Peeking at Step1 creates another CONNECT request.
Peeking or staring may indeed produce internal fake CONNECT requests,
but they are unrelated to your question. They are used internally to
handle the client TLS connection and for giving adaptation services a
say in the matter. Persistency is an HTTP term that is applied to what
happens _after_ the TLS connections is bumped.
(Also, peeking is a part of the SslBump feature -- they are not two
different actions or stages as "and" in your summary implies).
HTH,
Alex.
P.S. (*) "all" should be interpreted as "all that need a server
connection" here -- pure cache hits, adaptation-satisfied requests, and
probably some erroneous requests (e.g., those blocked by http_access
rules?) do not use the server connection.
Attachment:
bump-persistent-connections.pcap
Description: Binary data
Attachment:
squid.conf
Description: Binary data
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
