<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> * The biggest reason we care about TLS termination with bump is<br>
> because we think it might give us performance benefits along some<br>
> critical code paths *due to connection pooling to some slow<br>
> upstreams within squid.*<br>
> * Does squid automatically do this or does it need some extra config.<br>
> I was looking at 'server_connections' config var.<br>
<br>
HTTPS connections cannot be pooled due to protocol ties at the transport<br>
level between clients and servers. Once details of the TLS handshake are<br>
delivered they are pinned together.<br>
<br></blockquote><div>Well, what I meant was, that if we use "bump" directive, it is effectively terminating the TLS connection from client at squid. And then squid initiates a separate TLS connection to the server. with it's own shared secret. Those connections to the servers/backends can be pooled. This means there's a decryption/reencryption step in between. Is not that what happens with squid?<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Instead Squid delivers what https:// responses it can from cache, which<br>
is the next best thing.<br>
<br>
<br>
> [Currently we<br>
> roughly follow the config in the AWS Guide]<br>
> <<a href="https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/" rel="noreferrer" target="_blank">https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/</a>><br>
> <br>
<br>
Please be aware that config is unsafe. It effectively makes an<br>
open-proxy setup. Any client anywhere in the world can abuse the proxy<br>
as a relay to reach any AWS hosted site.<br></blockquote><div> </div><div>Ah, interesting, thank you for pointing out that detail. We're just testing and playing around with it right now, so we're safe luckily :)<br></div></div></div>