[squid-users] SSL Terminating Reverse Proxy with Referral Tracking

[Amos Jeffries]

On 13/09/21 4:16 pm, Mehrdad Fatemi wrote:
> Hi Everyone,
> I'm looking for an elegant technology option to have telcos zero-rate 
> all of the traffic to a set of online destinations.

Can you clarify what you mean exactly by "zero rate" ?

What does it have to do with actions the proxy is performing?


> Using an SSL 
> terminating reverse proxy could be a potential answer to this as we can 
> focus on zero-rating the proxy's downstream traffic with each ISP/Telco 
> without worrying about upstream servers.
> 
> There are two challenges to address here though:
> 1) Modern web applications on the upstream servers use many 3rd party 
> and X-a-a-S resources  (e.g. embedded media, libraries, etc) that we 
> also want to pass through the proxy to ensure they are zero-rated.
> 

To be clear; "reverse proxy" is just an old term for CDN frontend. It 
requires public DNS records for the domains it services point all their 
traffic to the CDN/proxy.

I'm not sure you are talking about the same thing. Maybe you are needing 
an interception proxy or other QoS related systems.


In general;

a) If those upstream servers are doing XaaS fetches as their internal 
operations there is no relevance to the gateway. It simply passes 
traffic to upstream and they do their thing.

b) If those upstream servers are embedding URLs for clients to directly 
contact the XaaS services. Then your desire is not possible without 
redesigning the upstream service(s) such that they stop exposing their 
use of the XaaS. Which often also means redesigning the XaaS service 
itself too.


> 2) For a user to complete an end-to-end process they may get referred to 
> 3rd party websites (like a payment gateway) that we only want to 
> zero-rate if the referral is from one of our designated upstream servers.
> 

That is not possible for a reverse-proxy to do. It will never see the 
third-party traffic, as mentioned by (b) above.


Amos