[squid-users] Questions about connection pooling to origins when using squid as a HTTPS forward egress proxy
Amos Jeffries
squid3 at treenet.co.nz
Fri Jun 7 12:58:30 UTC 2019
On 7/06/19 11:24 pm, Srikanth Raju wrote:
>
>
> > * The biggest reason we care about TLS termination with bump is
> > because we think it might give us performance benefits along some
> > critical code paths *due to connection pooling to some slow
> > upstreams within squid.*
> > * Does squid automatically do this or does it need some extra
> config.
> > I was looking at 'server_connections' config var.
>
> HTTPS connections cannot be pooled due to protocol ties at the transport
> level between clients and servers. Once details of the TLS handshake are
> delivered they are pinned together.
>
> Well, what I meant was, that if we use "bump" directive, it is
> effectively terminating the TLS connection from client at squid. And
> then squid initiates a separate TLS connection to the server. with it's
> own shared secret. Those connections to the servers/backends can be
> pooled. This means there's a decryption/reencryption step in between. Is
> not that what happens with squid?
Not to the degree needed for pooling. There are still many properties
from termination status, to token binding which require a 1:1 binding
between them.
It could potentially be done one day. But is not present yet and TLS is
in an arms race situation which makes it harder all the time to even do
SSL-Bump transparently.
It is really only possible for CDN operators to do pooling to their
origin servers. That is because they / reverse-proxies do not have to
use SSL-Bump at all.
Amos
More information about the squid-users
mailing list