[squid-users] Long delays with TLS
Alex Rousskov
rousskov at measurement-factory.com
Thu Sep 13 19:46:04 UTC 2018
On 09/13/2018 01:00 PM, James Moe wrote:
> Hello,
> squid 4.0.23
> linux 4.12.14-lp150.12.7-default x86_64
>
> We have been seeing frequent, but not consistent, delays when proxying
> TLS requests while browsing. By disabling the proxy, those delays
> stopped occurring.
FYI: Your Squid is not configured to treat TLS specially. In that
configuration, your Squid does not know anything about TLS -- TLS
traffic is just opaque bytes to your Squid, hidden inside HTTP CONNECT
tunnels.
> I can see no obvious hint in either the access or cache logs.
> Where should I look to find what is causing the delay?
I would start by upgrading to the latest Squid v4 and then check for DNS
delays. DNS is used by both regular HTTP traffic and CONNECT tunnels
(carrying TLS bytes) so it may not fit your problem description
perfectly, but DNS delays are easier to check for than other suspects.
You can log DNS-related response times (%dt) and/or capture DNS traffic
to and from your Squid.
HTH,
Alex.
> ----[ conf ]----
> acl manager_admin src 192.168.69.115
> #
> # acl localnet src fc00::/7
> # acl localnet src fe80::/10
> #
> acl SSL_ports port 443
> acl SSL_ports port 631
> #
> # Jumpline cPanel ports
> acl SSL_ports port 2083
> acl SSL_ports port 2096
> #
> # sma-nas-02, cgatePro, webadmin
> acl SSL_ports port 5000
> acl SSL_ports port 5001
> acl SSL_ports port 9010
> acl SSL_ports port 9100
> acl SSL_ports port 10000
> #
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 563
> acl Safe_ports port 631
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl Safe_ports port 9100
> #
> acl CONNECT method CONNECT
> acl localnet src 192.168.69.0/24
>
> access_log /var/log/squid/access.log
> #
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow manager_admin
> http_access allow manager localhost
> http_access deny manager
> http_access allow localnet
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> cache_dir ufs /data01/var/cache/squid 51200 16 256
> maximum_object_size 99999 KB
> cache_mem 256 MB
> coredump_dir /var/cache/squid
>
> refresh_pattern ^ftp: 1440 20 10080
> refresh_pattern ^gopher: 1440 0 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0 0
> refresh_pattern . 0 20 4320
>
> cache_log /var/log/squid/cache.log
> cache_mgr jimoe at sohnen-moe.com
> cache_replacement_policy lru
> cache_store_log /var/log/squid/store.log
> cache_swap_high 95
> cache_swap_low 90
> client_lifetime 1 days
> connect_timeout 2 minutes
> error_directory /usr/share/squid/errors/en
> ftp_passive on
> memory_replacement_policy lru
> minimum_object_size 0 KB
> ----[ end ]----
More information about the squid-users
mailing list