[squid-users] squid callout sequence

Amos Jeffries squid3 at treenet.co.nz
Mon Jun 25 23:35:30 UTC 2018


On 26/06/18 01:56, Gordon Hsiao wrote:
>     On 25/06/18 14:59, Gordon Hsiao wrote:
>     >      On 25/06/18 05:15, Gordon Hsiao wrote:
>     >     > at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I
>     noticed
>     >     > redirectors are way ahead of ssl-bump in the callout order, in a
>     >     > https-ssl-bump case
>     >
>     >     There is not really any "https-ssl-bump" case.
>     >
>     >     There is SSL-Bump (decrypting a TLS stream - or not), and
>     there is HTTPS
>     >     (HTTP messages inside TLS).
>     >
>     >
>     >     > you will need ssl-bump to run (so you can get full
>     >     > URL for example), then you can run redirector based on the
>     result of
>     >     > ssl-bump, correct?
>     >
>     >     No. SSL-Bump is an operation applied to a CONNECT message,
>     when setting
>     >     up the TLS tunnel. There are maybe also *multiple* CONNECT
>     messages when
>     >     SSL-Bump gets involved - which the FAQ text following that
>     sequence
>     >     describes.
>     >
>     >
>     >     HTTP is stateless protocol. So the CONNECT message(s) are
>     independent of
>     >     both each other, and anything decrypted from inside the
>     tunnel. Each and
>     >     every message Squid handles gets its own cycle through the callout
>     >     sequence.
>     >
>     >
>     >     > why is redirector run before ssl-bump?
>     >
>     >     Because Squid needs to know _where_ it is going before it can
>     connect
>     >     there. SSL-Bump is part of tunnel/connection setup.
>     >
>     >     Amos
>     >
>     >
>     > will SSL-Bump(not 'peek+splice', but the 'peek+bump' mode) decrypt all
>     > the tcp packets? For example I connect to youtube.com/myvideo
>     <http://youtube.com/myvideo>
>     > <http://youtube.com/myvideo>, will peek+bump only decrypt the pseudo
>     > CONNECT messages(I'm doing transparent proxy), or will it decrypt all
>     > the video streams too? if it's the latter case the proxy will be cpu
>     > intensive.
> 
>     Sorry if I wasn't clear. The ssl_bump (directive and CONNECT handling)
>     part is the TLS handshake at the beginning of TLS connections. Once the
>     decrypt or splice is setup it just continues indefinitely. Whatever is
>     being decrypted from within that TLS is completely separate from the
>     bumping itself.
> 
>     Amos
> 
> 
> So, peek+bump itself will only deal with TLS handshake part(e.g. to get
> FQDN/full-URL for redirectors)

Using the correct terms helps understanding. see RFC 7230
<https://tools.ietf.org/html/rfc7230#section-5.3>

'peek' and 'bump' are actions the SSL-Bump feature does.


* SSL-Bump 'peek' action gives the TLS SNI. Which is *only* a domain
name / FQDN
   - so an authority-form URI (FQDN:port) is known for the server.


* SSL-Bump 'bump' action exposes the encrypted requests which contain
their own URI-scheme, domain, port, path, query etc.
  - so the full absolute-form URI is known for each decrypted message.

  - these may not match the authority-form URI from the CONNECT message.



>, still the proxy will have to do
> aes-decrypt-and-encrypt for the same TCP stream when peek+bump is used,

To get full-URL (ie path and query parts).

> which could be very cpu intensive, correct? Because once peek+bump is
> used, the proxy split the ssl stream into two segments and will have to
> deal with everything for both ends.

Yes.

> 
> peek+splice is totally different and it will not need the
> aes-decrypt-and-encrypt, basically just probe for SNI then tunnel the
> whole connection, so proxy's cpu should not be overloaded at all.

Close yes.

Though to complicate things the presence of a proxy at all splits the
stream into "two parts" to get that peek ability. It's just that splice
action afterwards avoids the decrypt+encrypt CPU cycles.

Amos


More information about the squid-users mailing list