On 19/10/23 01:21, Ben Goz wrote:
By the help of God.
Hi,
I saw in my access log a traces that shows that spliced URLs tunneling
is very slowly:
Please clarify what you mean by "slow" ?
How have you determined speed ?
What speed are you expecting / would you call non-slow ?
FYI, Several things to be aware of:
1) CONNECT tunnel is not a simple thing with a constant "speed" of
transfer. It represents and entire set of tunneled messages (or other
opaque data) over indefinite timespan. Each of those messages has its
own "speed" of transfer, with possible empty periods of 0 bytes
transferred between.
2) the SSL-Bump procedure may pause a CONNECT tunnel during TLS
handshake and/or validation process to asynchronously fetch missing
certificate details, and/or validate other data with ACLs, etc.
Each of these subsidiary transactions may add indefinite effects on
timing of the 'bumped' CONNECT tunnel.
3) modern networking systems utilize "Happy Eyeballs" algorithms
wherein they may open multiple TCP connections to various (or same)
services in parallel and only utilize the fastest to connect. This can
result in CONNECT tunnel being initiated and unused - either closed
immediately or left open waiting activity for long periods.
So, as you should be able to see the log snippet shows some details
about tunnels duration of use, you cannot tell "speed" from these logs.
For example:
18/Oct/2023:15:18:50 +0300 240841 192.168.3.98 TCP_TUNNEL/200 6225
CONNECT beacons2.gvt2.com:443 <http://beacons2.gvt2.com:443> -
HIER_DIRECT/172.217.0.67 <http://172.217.0.67> - beacons2.gvt2.com
<http://beacons2.gvt2.com> - splice -
Tunnel was _open_ for 240 seconds. 6225 bytes transferred.
Those bytes may have been transferred in the first 1 milliseconds of the
tunnel being open. Then Squid leaving it open waiting for further uses
which never came.
... "slow" at 1.4 GB/sec.
... or it could have been "slow" at 10 bytes/sec the whole time. One
cannot tell.
18/Oct/2023:15:18:50 +0300 680 192.168.3.173 TCP_TUNNEL/500 4977
CONNECT mobile.events.data.microsoft.com:443
<http://mobile.events.data.microsoft.com:443> - HIER_DIRECT/13.89.178.26
<http://13.89.178.26> - mobile.events.data.microsoft.com
<http://mobile.events.data.microsoft.com> - splice -
This tunnel was never open at all. It was *rejected*.
"speed" in that case was 3 KB/sec.
18/Oct/2023:15:18:51 +0300 127307 192.168.3.97 TCP_TUNNEL/500 3101
CONNECT array612.prod.do.dsp.mp.microsoft.com:443
<http://array612.prod.do.dsp.mp.microsoft.com:443> -
HIER_DIRECT/20.54.24.148 <http://20.54.24.148> -
array612.prod.do.dsp.mp.microsoft.com
<http://array612.prod.do.dsp.mp.microsoft.com> - splice -
Tunnel was _open_ for 127 seconds. 3101 bytes transferred.
Those bytes may have been transferred in the first 1 milliseconds of the
tunnel being open. Then Squid leaving it open waiting for further uses
which never came.
... "slow" at 376 MB/sec.
... or it could have been "slow" at 25 bytes/sec the whole time. One
cannot tell.
This is my squid configurations:
acl NoSSLInterceptRegexp_always ssl::server_name --client-requested
"/usr/local/squid/etc/splice.list"
acl alwaysBump ssl::server_name --client-requested
storage.googleapis.com <http://storage.googleapis.com>
youtubei.googleapis.com <http://youtubei.googleapis.com> www.eset.com
<http://www.eset.com> eset.com <http://eset.com>
safebrowsing.googleapis.com <http://safebrowsing.googleapis.com>
play.google.com <http://play.google.com>
on_unsupported_protocol tunnel
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
ssl_bump bump alwaysBump - Used to bumd certain subdomains before the
whole domain is bumped.
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump stare all
Other CONNECT requests are served noramly.
Is this issue could be a root cause for the generally slow internet?
Thanks,
Ben
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
