Search squid archive

Re: Questions about connection pooling to origins when using squid as a HTTPS forward egress proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/06/19 11:24 pm, Srikanth Raju wrote:
> 
> 
>     >   * The biggest reason we care about TLS termination with bump is
>     >     because we think it might give us performance benefits along some
>     >     critical code paths *due to connection pooling to some slow
>     >     upstreams within squid.*
>     >   * Does squid automatically do this or does it need some extra
>     config.
>     >     I was looking at 'server_connections' config var.
> 
>     HTTPS connections cannot be pooled due to protocol ties at the transport
>     level between clients and servers. Once details of the TLS handshake are
>     delivered they are pinned together.
> 
> Well, what I meant was, that if we use "bump" directive, it is
> effectively terminating the  TLS connection from client at squid. And
> then squid initiates a separate TLS connection to the server. with it's
> own shared secret. Those connections to the servers/backends can be
> pooled. This means there's a decryption/reencryption step in between. Is
> not that what happens with squid?


Not to the degree needed for pooling. There are still many properties
from termination status, to token binding which require a 1:1 binding
between them.

It could potentially be done one day. But is not present yet and TLS is
in an arms race situation which makes it harder all the time to even do
SSL-Bump transparently.


It is really only possible for CDN operators to do pooling to their
origin servers. That is because they / reverse-proxies do not have to
use SSL-Bump at all.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux