Search squid archive

Questions about connection pooling to origins when using squid as a HTTPS forward egress proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello!
We are planning to use squid as a forward egress proxy to whitelist domains. In general, we configured it to whitelist/blacklist domains based on the examples in the site and this seems to work with peek and splice on our preliminary tests as a transparent egress proxy. We're doing this with an AWS VPC using the standard techniques documented in their blogs

I had a few questions about the setup for some additional features
  • We want to have the ability to connection pool certain HTTPS calls going externally within from within squid. This would be specifically for some external partners that we know have slow connection setup time and or in case of misbehaving libraries.
  • WIth "peek and splice" method for HTTPS, this doesn't make sense, since it's a TCP tunnel basically. There shouldn't be a way to replay the handshake, hence it's impossible to pool at the squid layer.
  • We need to consider 'bump' for some use cases along with our own intermediate CA, which we're ok with, since we can choose the domains to 'splice' and domains to 'bump'/
  • The biggest reason we care about TLS termination with bump is because we think it might give us performance benefits along some critical code paths due to connection pooling to some slow upstreams within squid.
  • Does squid automatically do this or does it need some extra config. I was looking at 'server_connections' config var. [Currently we roughly follow the config in the AWS Guide]

Another thing we cared about , with a much lower priority, was HTTP/2 translation. We would like to reap the benefits of HTTP/2 on external services that do support it and we connect to, but our application does not yet have any production-safe http2 clients(python).
Is there any roadmap for when that will land on Squid master?

Thanks y'all
- Srikanth

Platform and Online Frameworks. Affirm Inc.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux