[squid-users] Behavior of Squid with SSL Bump and server persistent connections

Vishali Somaskanthan vishali.somaskanthan at viptela.com
Tue Jul 3 18:02:54 UTC 2018


*Thanks for the quick reply. I want to explain my question further.*

*Consider C1 and S1 connections were created for a HTTPs connection using
ssl-bump. C1 has been served and closed from the client side.*

*Now, the client initiates another HTTPS connection, C2. Since, persistent
connection is enabled, expectation is to see that S1 gets re-used.*

*Behaviour seen now is that S2 gets created and a handshake ensues between
squid and server. After ~30seconds, S1 is re-used to serve the*

*request C2. Persistence seems to work since S1 is re-used. However, why
was S2 initiated and why was S1 re-used after ~30seconds?*


*PFA: pcap file and the squid.conf*

On Mon, Jul 2, 2018 at 4:57 PM, Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 07/02/2018 05:34 PM, Vishali Somaskanthan wrote:
>
> > I am trying out SSL Bump for my connections from Squid to server and
> > trying to put along server persistent connections as well. I would like
> > to know how squid behaves with both of these turned on??
>
> In modern Squids, all(*) bumped SSL client HTTP requests (from client
> connection C) should use the corresponding bumped connection to the
> server (S). After the first HTTP request, if more requests arrive on
> connection C, and they are all regular/basic requests, then they can all
> go through connection S. Once HTTP rules, timeouts, or other factors
> prohibit connection S or connection C reuse, Squid should close both
> connections.
>
> Please note that I do not know whether Squid correctly forces all(*)
> HTTP requests on connection C to connection S, but it should. If it does
> not, file a bug report. Same for closing connection C when connection S
> becomes unusable.
>
>
> > I see info in the squid wiki page that SSL Bump creates fake CONNECT
> > requests and Peeking at Step1 creates another CONNECT request.
>
> Peeking or staring may indeed produce internal fake CONNECT requests,
> but they are unrelated to your question. They are used internally to
> handle the client TLS connection and for giving adaptation services a
> say in the matter. Persistency is an HTTP term that is applied to what
> happens _after_ the TLS connections is bumped.
>
> (Also, peeking is a part of the SslBump feature -- they are not two
> different actions or stages as "and" in your summary implies).
>
>
> HTH,
>
> Alex.
> P.S. (*) "all" should be interpreted as "all that need a server
> connection" here -- pure cache hits, adaptation-satisfied requests, and
> probably some erroneous requests (e.g., those blocked by http_access
> rules?) do not use the server connection.
>



-- 
Regards,
Vishali Somaskanthan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180703/c38ea9af/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bump-persistent-connections.pcap
Type: application/octet-stream
Size: 37710 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180703/c38ea9af/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid.conf
Type: application/octet-stream
Size: 2129 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180703/c38ea9af/attachment-0003.obj>


More information about the squid-users mailing list