[squid-users] Sibling cache with ssl peek/splice/bump?

Alex Rousskov rousskov at measurement-factory.com
Tue May 15 14:48:34 UTC 2018


On 05/15/2018 08:27 AM, Alex Crow wrote:

> Is it currently possible in v4 with bumping to have a cache_peer setup
> so that https:// resources can be fetched from a peer if they are
> available there?


If I am interpreting the "if available" part of your question correctly,
then what you want is unsupported in most SslBump environments because a
bumping Squid does not receive requests for HTTP resources and, hence,
cannot check whether a resource is available somewhere. Squid receives
requests for blind TCP tunnels.

Yes, SslBump converts blind TCP tunnels into HTTP transactions, but in
nearly all practical setups, that conversion happens _after_ the TCP
connection is established and pinned to the requested server. At the TCP
connection establishment time, the HTTP resource (to be requested inside
the tunnel) is still unknown.

FWIW, with an experimental patch, you can route TCP tunnels to peers:
https://github.com/squid-cache/squid/compare/53fdd3f...measurement-factory:7a4c4ed.patch


Squid could disregard connection pinning and request the HTTP resource
by establishing a new HTTPS connection (via a secure cache_peer if
necessary). I have not tested this, but I suspect that Squid does not do
that today: After bumping, you may get local cache hits, but no
HTTP-level peering.


HTH,

Alex.


More information about the squid-users mailing list