[squid-users] derive HTTP/HTTPS upload traffic to a secondary interface.

Josep Borrell jborrell at central.aplitec.com
Thu Feb 26 08:29:38 UTC 2015 

Hi Amos,

We are a school. Our Internet connection are 4 ADSL (8/0.8Mb) and 1 SDSL (4/4Mb)
We are doing session balancing in the firewall appliance.
The problem is when the students save this work, they
are using Google Apps for Education, so is very easy to saturate the upload channel of the ADSL. The ones that are luckily in the SDSL can save fast their work. The rest must wait some minutes.
We thought that deriving the upload traffic to the SDSL must alleviate the situation.
Our ISP admits no aggregation protocol, like MLPPP, that would be a solution.

Maybe there are another solution that we missing.
Thoughts are welcome.

Thanks

Josep


-----Mensaje original-----
De: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] En nombre de Amos Jeffries
Enviado el: jueves, 26 de febrero de 2015 6:42
Para: squid-users at lists.squid-cache.org
Asunto: Re: [squid-users] derive HTTP/HTTPS upload traffic to a secondary interface.

On 25/02/2015 4:09 a.m., Josep Borrell wrote:
> Hi,
> 
> After some digging I realized that this setup works fine for HTTP traffic but not for HTTPS. I'm using ssl_bump in intercept mode.
> Is possible that for HTTPS traffic I can't split the upload / download ?
> 

At the connection level Squid is performing multiplexing for the HTTP messages. They are stateless, so can be split up and delivered over any connection it finds that meet the criteria.

SSL-Bump however is a single encrypted inbound stream of bytes. Squid is being a "transaprent proxy" for it by ensuring that the outbound is as closely matching the inbound behaviour as possible. All the messages that come in on an encrypted stream should be going out on a matching
(singular) outgoing encryted connection. There are some unavoidable differencs for HITS, error/deny's, forged certs etc but for the most part it needs to be kept as transparent as possible to reduce HTTPS problems.

For intercepted traffic you can/should do load balancing by selecting the paths for new connections rather than messages. This is a major reason why I recommend doing load balancing at the OS level where NIC load vs capacity and the additional packet overheads can be taken into account.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list