[squid-users] this config is ok? is ok the order?

Amos Jeffries squid3 at treenet.co.nz
Wed May 31 15:29:39 UTC 2017

The answer to your question really depends on what your policies are for 
who and what the proxy can be used by.

The config tells one set of policies. But if those are not the one(s) 
you actually want to happen, then the config is incorrect even if it 
"looks okay".

If I assume that its doing what you want there are still two major 
issues that can be seen.

1) Mixing interception and authentication (ssl-bump is a type of 
interception, at least on the https:// traffic). Intercepted messages 
cannot be authenticated - though there are some workarounds in place for 
ssl-bump to authenticate the CONNECT tunnel and label all the bumped 
traffic with that username.

2) using directly in squid.conf can be amazingly harmful to 
performance. Despite the hype and marketing around Google services, the 
behaviour of this one is actively detrimental to HTTP persistant 
connections feature - namely it load balances which of their endpoint 
servers is handling each DNS query. As such Squid often sees domains 
rotating to a completely different bunch of IP addresses every TTL, 
which in turn means it cannot easily re-use any open connections to the 
prior bunch of IPs. Resulting in a huge churn on TCP sockets and 
unnecessary delays waiting for the new ones to open.

and there are a few minor polishing things you can doing you can do. But 
its not worth spending time on them until you are sure the config 
actually imposes your real wanted policy on the traffic.


More information about the squid-users mailing list