[squid-users] this config is ok? is ok the order?
Amos Jeffries
squid3 at treenet.co.nz
Wed May 31 15:29:39 UTC 2017
The answer to your question really depends on what your policies are for
who and what the proxy can be used by.
The config tells one set of policies. But if those are not the one(s)
you actually want to happen, then the config is incorrect even if it
"looks okay".
If I assume that its doing what you want there are still two major
issues that can be seen.
1) Mixing interception and authentication (ssl-bump is a type of
interception, at least on the https:// traffic). Intercepted messages
cannot be authenticated - though there are some workarounds in place for
ssl-bump to authenticate the CONNECT tunnel and label all the bumped
traffic with that username.
2) using 8.8.8.8 directly in squid.conf can be amazingly harmful to
performance. Despite the hype and marketing around Google services, the
behaviour of this one is actively detrimental to HTTP persistant
connections feature - namely it load balances which of their endpoint
servers is handling each DNS query. As such Squid often sees domains
rotating to a completely different bunch of IP addresses every TTL,
which in turn means it cannot easily re-use any open connections to the
prior bunch of IPs. Resulting in a huge churn on TCP sockets and
unnecessary delays waiting for the new ones to open.
and there are a few minor polishing things you can doing you can do. But
its not worth spending time on them until you are sure the config
actually imposes your real wanted policy on the traffic.
Amos
More information about the squid-users
mailing list