Hello!
We are planning to use squid as a
forward egress proxy to whitelist domains. In general, we configured it
to whitelist/blacklist domains based on the examples in the site and
this seems to work with peek and splice on our preliminary tests as a
transparent egress proxy. We're doing this with an AWS VPC using the standard techniques documented in their blogs
I had a few questions about the setup for some additional features
- We want to have the ability to connection pool certain HTTPS calls going externally within from within squid. This would be specifically for some external partners that we know have slow connection setup time and or in case of misbehaving libraries.
- WIth "peek and splice" method for HTTPS, this
doesn't make sense, since it's a TCP tunnel basically. There shouldn't
be a way to replay the handshake, hence it's impossible to pool at the squid layer.
- We need to consider 'bump' for some use cases along with our own intermediate CA, which we're ok with, since we can choose the domains to 'splice' and domains to 'bump'/
- The biggest reason we care about TLS termination with
bump is because we think it might give us performance benefits along
some critical code paths due to connection pooling to some slow upstreams within squid.
- Does squid automatically do this or does it need some extra config. I was looking at 'server_connections' config var. [Currently we roughly follow the config in the AWS Guide]
Another
thing we cared about , with a much lower priority, was HTTP/2 translation. We would like to reap the
benefits of HTTP/2 on external services that do support it and we connect to, but our
application does not yet have any production-safe http2 clients(python).
Is there any roadmap for when that will land on
Squid master?
Thanks y'all
- Srikanth
Platform and Online Frameworks. Affirm Inc.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users