[squid-users] Secure Web Proxy Stress Testing

Alex Rousskov rousskov at measurement-factory.com
Tue Apr 10 18:11:05 UTC 2018 

On 04/10/2018 11:24 AM, Panagiotis Bariamis wrote:
> Thank you for your answer  but as far as I can understand this setup is
> for a regular proxy that just proxies https protocol with http connect
> headers (unencrypted traffic between client and proxy on http connect
> request ) .

Your understanding is incorrect: All the traffic between the client and
the proxy is encrypted in that test.


> Secure web proxy encrypts traffic between client and proxy

Yes, and that is what the Polygraph workload sketch tests. The Squid
port for that workload is an https_port, not an http_port.


> meaning that you have an http connect request inside a tls tunnel. 

Yes, if the origin server is talking TLS. Just like a regular HTTP
proxy, an HTTPS proxy can proxy both plain and encrypted origin server
traffic. The latter requires a CONNECT tunnel. Whether the origin server
talks HTTP or HTTPS is a separate variable/issue, unrelated to whether
the client-proxy communication itself is secured.

Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
supports the combination of the two: TLS inside TLS (because HTTP/2
support essentially required that). I am not sure about Polygraph v4.
The workload I sketched uses HTTPS proxies and plain origin servers.


HTH,

Alex.



> On Tue, Apr 10, 2018, 17:22 Alex Rousskov wrote:
> 
>     On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
>     > Is there any stress testing tool to test with a load of 1k to 5k
>     > simultaneous connections ?
> 
>     Web Polygraph (www.web-polygraph.org <http://www.web-polygraph.org>)
>     supports HTTPS proxies and can
>     create thousands of concurrent connections. Below is a PGL configuration
>     snippet from a recent HTTPS proxy test in our lab.
> 
>     HTH,
> 
>     Alex.
> 
> 
>     SslWrap sslWrap = {
>         ssl_config_file = "openssl.conf";
>         root_certificate = "CA-priv+pub.pem";
>         session_resumption = 70%;
>         session_cache = 100;
>     };
> 
>     Server S = {
>         // no ssl_wraps here unless you want to test TLS inside TLS
>         ...
>     };
> 
>     Proxy P = {
>         addresses = [ ... HTTPS proxy address ... ];
>         ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
>     };
> 
>     Robot R = {
>         ssl_wraps = [ sslWrap ]; // an HTTPS-capable client
> 
>         origins = S.addresses;
>         http_proxies = P.addresses;
> 
>         ...
>     };
> 
>     use(S,P,R);
>

More information about the squid-users mailing list