[squid-users] Delay pools: HTTPS and rep_mime_type support

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 18 10:20:32 UTC 2015 

On 18/11/2015 8:53 p.m., Filippo Martinelli wrote:
> I'm struggling with squid delay pools. The documentation I found is very
> poor and on internet there is contradictory and possibly surpassed
> information. I would appreciate if you can point me to exhaustive
> information on delay pools.
> 
> First question:
> 
>     acl aclname url_regex -i \.exe
> 
> will it match an HTTPS request ? According to my experience and from some
> posts it will not, so cannot find any easy way to limit the bandwidth used
> to download .exe files from an HTTPS connection. Am I missing something ?
> The only suggestion google gave is to use something like "acl  aclname
> methoid CONNECT" but it is too generic and will not discriminate between
> long .exe download or single page access on HTTPS connections.

"HTTPS" is not a single thing, or message type. It is a term to describe
an entire stack of multiple-layered protocols.

To do anything at all with URL or any other HTTP message details in what
could be termed an "HTTPS request" requires decrypting the TLS layer to
find the HTTP message secured inside it.


ItFrom that description it sounds to me like you are dealing with a
plain-text HTTP message of method CONNECT. There is almost zero
information in those. Apart from the domain name of the server the
client wants to talk to and maybe the client UA device, you are out of
luck using any of the more normal request/reply message details to
decide on the pool.

Squid should still be able to delay pool those CONNECT tunnels though.
But only as a whole thing, and there are still open bugs with unknown
causes. You need a fairly recent version of Squid for it to work even
halfway close to "properly".

For bandwidth control it is often better to use the QoS / TOS
functionality provided by your OS. Squid can output per-request values
for those systems to work with using qos_flows, tcp_outgoing_tos or
tcp_outgoing_mark.


> 
> Second question:
> 
>     acl streaming_exe rep_mime_type application/octet-stream
> 
> Can rep_mime_type be used with delay_access poolNumber allow ? Again,
> according to my experience and to some very old posts in internet it will
> not work, but the documentation lacks this important limitation.

Of the current Squid only 4.0.2 or later can do that. (re-)assiging
pools based on HTTP response details was only very recently ported from
Squid-2.6.

Amos

More information about the squid-users mailing list