[squid-users] Behavior of Squid with SSL Bump and server persistent connections

Alex Rousskov rousskov at measurement-factory.com
Mon Jul 2 23:57:54 UTC 2018


On 07/02/2018 05:34 PM, Vishali Somaskanthan wrote:

> I am trying out SSL Bump for my connections from Squid to server and
> trying to put along server persistent connections as well. I would like
> to know how squid behaves with both of these turned on??

In modern Squids, all(*) bumped SSL client HTTP requests (from client
connection C) should use the corresponding bumped connection to the
server (S). After the first HTTP request, if more requests arrive on
connection C, and they are all regular/basic requests, then they can all
go through connection S. Once HTTP rules, timeouts, or other factors
prohibit connection S or connection C reuse, Squid should close both
connections.

Please note that I do not know whether Squid correctly forces all(*)
HTTP requests on connection C to connection S, but it should. If it does
not, file a bug report. Same for closing connection C when connection S
becomes unusable.


> I see info in the squid wiki page that SSL Bump creates fake CONNECT
> requests and Peeking at Step1 creates another CONNECT request. 

Peeking or staring may indeed produce internal fake CONNECT requests,
but they are unrelated to your question. They are used internally to
handle the client TLS connection and for giving adaptation services a
say in the matter. Persistency is an HTTP term that is applied to what
happens _after_ the TLS connections is bumped.

(Also, peeking is a part of the SslBump feature -- they are not two
different actions or stages as "and" in your summary implies).


HTH,

Alex.
P.S. (*) "all" should be interpreted as "all that need a server
connection" here -- pure cache hits, adaptation-satisfied requests, and
probably some erroneous requests (e.g., those blocked by http_access
rules?) do not use the server connection.


More information about the squid-users mailing list