[squid-users] Secrecy and TCP Reset and Allow Direct

[creditu at eml.cc]

I am trying to finalize an accelerator configuration  in 3.1.  The
accelerator has cache disabled (we use an external service) with cache
deny all. We have several public IPs that send requests to back end
Apache servers using http.  The accelerator will provide both http and
https for a while.  A few questions:

Trying to get a A rating in Qualys site and the best I can get is A- due
to forward secrecy not supported for a few browsers.  I think this is
due to Squid not being able to support ECDHE (which some of those
browsers need).  Just wanted to confirm that we're not missing
something.  Is there any alternate configuration that we may be able to
do? 

I have an ACL that I want to send a TCP reset if the url being requested
matches a regx.  It seems to work, but in testing the first time a
browser request the url, the upper left corner of the browser has the
word "reset" in it.  Subsequent requests seem to work as expected and
the client/browser gets the reset.  In the cache log I see:   
 errorpage.cc(293) errorTryLoadText:
 '/usr/share/squid/errors/en-us/TCP_RESET': (2) No such file or
 directory
WARNING: Error Pages Missing Language: en-us
errorpage.cc(293) errorTryLoadText:
'/usr/share/squid/errors/en/TCP_RESET': (2) No such file or directory"
"WARNING: Error Pages Missing Language: en
I touched an empty file in the directories and the errors went away. 
Now after a squid restart I get "max-age=86400" in the upper left corner
once then it goes away and works as expected (client gets reset).  Just
curious if  this is expected?  Here is the ACL:

acl www_url url_regex -i [^:]+://www.example.com.*
deny_info TCP_RESET www_url

Trying to understand if we should use the always direct directive with
this configuration.   As stated, we just want to send public requests to
the backend servers. The current ACL for this is:

acl apache dst 10.10.10.0/24
always_direct allow apache
always_direct deny all