[squid-dev] Alternate origin server selection
Steve Hill
steve at opendium.com
Thu Oct 28 16:39:44 UTC 2021
On 28/10/2021 16:41, Alex Rousskov wrote:
> IIRC, Google has recommended (to my surprise) something like that as
> well, for environments where DNS modifications are inappropriate and
> bumping is possible. I cannot find that recommendation now, unfortunately.
Google are very hostile to bumping. But then there's this that
explicitly recommends bumping...
https://support.google.com/a/answer/1668854?hl=en#zippy=%2Cstep-choose-a-web-proxy-server
Never the less, if you don't want to bump (which obviously has
significant privacy implications and involves installing certificates on
every device), the virtual IP method is your only option.
Similarly, you can't enforce YouTube Restricted Mode in the YouTube
Android app without using the virtual IP method.
> AFAICT, the primary obstacle here is that Squid pins the connection
> while obtaining the origin server certificate.
Well, I can't see why Squid needs the origin certificate - it should be
able to make a decision off the SNI before connecting to the origin server.
I didn't seem to be able to make the decision prior to the connection
being pinned though. I'm not sure why - I will go back and investigate
further.
Thank you.
--
- Steve Hill
Technical Director | Cyfarwyddwr Technegol
Opendium Online Safety & Web Filtering http://www.opendium.com
Diogelwch Ar-Lein a Hidlo Gwefan
Enquiries | Ymholiadau: sales at opendium.com +44-1792-824568
Support | Cefnogi: support at opendium.com +44-1792-825748
------------------------------------------------------------------------
Opendium Limited is a company registered in England and Wales.
Mae Opendium Limited yn gwmni sydd wedi'i gofrestru yn Lloegr a Chymru.
Company No. | Rhif Cwmni: 5465437
Highfield House, 1 Brue Close, Bruton, Somerset, BA10 0HY, England.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: steve.vcf
Type: text/x-vcard
Size: 259 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20211028/b817c25d/attachment.vcf>
More information about the squid-dev
mailing list