[squid-users] derive HTTP/HTTPS upload traffic to a secondary interface.
Amos Jeffries
squid3 at treenet.co.nz
Thu Feb 26 05:41:58 UTC 2015
On 25/02/2015 4:09 a.m., Josep Borrell wrote:
> Hi,
>
> After some digging I realized that this setup works fine for HTTP traffic but not for HTTPS. I'm using ssl_bump in intercept mode.
> Is possible that for HTTPS traffic I can't split the upload / download ?
>
At the connection level Squid is performing multiplexing for the HTTP
messages. They are stateless, so can be split up and delivered over any
connection it finds that meet the criteria.
SSL-Bump however is a single encrypted inbound stream of bytes. Squid is
being a "transaprent proxy" for it by ensuring that the outbound is as
closely matching the inbound behaviour as possible. All the messages
that come in on an encrypted stream should be going out on a matching
(singular) outgoing encryted connection. There are some unavoidable
differencs for HITS, error/deny's, forged certs etc but for the most
part it needs to be kept as transparent as possible to reduce HTTPS
problems.
For intercepted traffic you can/should do load balancing by selecting
the paths for new connections rather than messages. This is a major
reason why I recommend doing load balancing at the OS level where NIC
load vs capacity and the additional packet overheads can be taken into
account.
Amos
More information about the squid-users
mailing list