[squid-users] Secure Web Proxy Stress Testing
Alex Rousskov
rousskov at measurement-factory.com
Tue Apr 10 18:11:05 UTC 2018
On 04/10/2018 11:24 AM, Panagiotis Bariamis wrote:
> Thank you for your answer but as far as I can understand this setup is
> for a regular proxy that just proxies https protocol with http connect
> headers (unencrypted traffic between client and proxy on http connect
> request ) .
Your understanding is incorrect: All the traffic between the client and
the proxy is encrypted in that test.
> Secure web proxy encrypts traffic between client and proxy
Yes, and that is what the Polygraph workload sketch tests. The Squid
port for that workload is an https_port, not an http_port.
> meaning that you have an http connect request inside a tls tunnel.
Yes, if the origin server is talking TLS. Just like a regular HTTP
proxy, an HTTPS proxy can proxy both plain and encrypted origin server
traffic. The latter requires a CONNECT tunnel. Whether the origin server
talks HTTP or HTTPS is a separate variable/issue, unrelated to whether
the client-proxy communication itself is secured.
Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
supports the combination of the two: TLS inside TLS (because HTTP/2
support essentially required that). I am not sure about Polygraph v4.
The workload I sketched uses HTTPS proxies and plain origin servers.
HTH,
Alex.
> On Tue, Apr 10, 2018, 17:22 Alex Rousskov wrote:
>
> On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
> > Is there any stress testing tool to test with a load of 1k to 5k
> > simultaneous connections ?
>
> Web Polygraph (www.web-polygraph.org <http://www.web-polygraph.org>)
> supports HTTPS proxies and can
> create thousands of concurrent connections. Below is a PGL configuration
> snippet from a recent HTTPS proxy test in our lab.
>
> HTH,
>
> Alex.
>
>
> SslWrap sslWrap = {
> ssl_config_file = "openssl.conf";
> root_certificate = "CA-priv+pub.pem";
> session_resumption = 70%;
> session_cache = 100;
> };
>
> Server S = {
> // no ssl_wraps here unless you want to test TLS inside TLS
> ...
> };
>
> Proxy P = {
> addresses = [ ... HTTPS proxy address ... ];
> ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
> };
>
> Robot R = {
> ssl_wraps = [ sslWrap ]; // an HTTPS-capable client
>
> origins = S.addresses;
> http_proxies = P.addresses;
>
> ...
> };
>
> use(S,P,R);
>
More information about the squid-users
mailing list