[squid-users] Slow App through Proxy

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 18 22:27:44 UTC 2015


On 19/12/2015 6:51 a.m., Kinkie wrote:
> Hi,
>   Do you see anything denied in the squid logs? From what you say it could
> be related to a failing attempt to validate a certificate.
> On Dec 18, 2015 17:25, "Patrick Flaherty" wrote:
> 
>> Hello,
>>
>>
>>
>> We have an app configured to use Squid Proxy (3.5.11). The client machine
>> does not have access to the internet except for the whitelisted domains in
>> Squid. The app launches painfully slow. It seems to be SSL Certificate
>> related. I found a way to fix it but don’t know why it fixes it. Let me
>> explain.
>>
>>
>>
>> If I go into IE and configure it to use the Squid Proxy and I go to our
>> website (SSL Based), the page comes up fine with a nice lock symbol
>> signifying SSL. I then turn off the proxy config in IE to stop using the
>> Squid Proxy. I relaunch our app and it launches fast forever more!!! I
>> thought that it might be downloading a certificate but I look at all the
>> Windows certificates either through IE or CertMgr.msc and it appears that
>> no new certificates are in there after this exercise. Something in the
>> Windows config changed and I don’t know what it is. I would love to know
>> because I would like to see if there is an easier method to fix this as
>> opposed to the one I just outlined.
>>
>>

Several other things could have happened:
* HSTS headers from the server are received by the browser,
* Alternative-Protocol headers received by the browser,
* CRL and OSCP browser lookups without the proxy,
* or any combo of the above.

Alternative-Protocol is particularly bad since it can cause the browser
to move away from HTTP entirely and use some other protocol. Chrome has
a thing for moving traffic from HTTP to Google custom protocols. MSIE
should be pretty good though it might move to HTTP/2.

HSTS requires the browser to start directly with a secure protocol
rather than HTTP (ie through the proxy). When combined with
Alternative-Protocol the two could potentially force HTTP and the proxy
to cease being even considered as a traffic route (if browser thinks the
other protocol is more secure).

Since these happen inside the CONNECT tunnel use to go through an
explicit-proxy Squid does not have a chance to prevent the
Alternative-Protocol taking effect.

OSCP and CRL are annoying but friendly enough to proxy.  Just find out
what the needed URI are and ensure they are permitted through the proxy.

Amos


More information about the squid-users mailing list