[squid-users] Questions about connection pooling to origins when using squid as a HTTPS forward egress proxy
Alex Rousskov
rousskov at measurement-factory.com
Fri Jun 7 16:04:02 UTC 2019
On 6/7/19 5:24 AM, Srikanth Raju wrote:
>
>
> > * The biggest reason we care about TLS termination with bump is
> > because we think it might give us performance benefits along some
> > critical code paths *due to connection pooling to some slow
> > upstreams within squid.*
> > * Does squid automatically do this or does it need some extra
> config.
> > I was looking at 'server_connections' config var.
>
> HTTPS connections cannot be pooled due to protocol ties at the transport
> level between clients and servers. Once details of the TLS handshake are
> delivered they are pinned together.
>
> Well, what I meant was, that if we use "bump" directive, it is
> effectively terminating the TLS connection from client at squid.
If you bump at step 1 (a.k.a. client-first bumping), then yes, TLS
connections to server can be pooled. I do not know whether Squid
supports that today, but there is no fundamental reason why it cannot.
Unfortunately, in most cases, you cannot successfully bump at step 1.
If you bump at step 2+, then the resulting client-Squid and Squid-server
connection pairs are based on the client handshake. Yes, Squid
establishes its own TLS connection to the origin server, but it does so
while mimicking TLS client properties. Reusing that server connection
for another client would be risky -- the second client can request some
TLS security features that the first client did not care about, and
Squid would have to essentially ignore the second client requirements
when talking to the origin server using a reused to-server connection
established on behalf of the first TLS client. It would be possible to
add an option that enables such risky reuse AFAICT, but that reuse
should not be done by default.
> And
> then squid initiates a separate TLS connection to the server. with it's
> own shared secret. Those connections to the servers/backends can be
> pooled. This means there's a decryption/reencryption step in between. Is
> not that what happens with squid?
Yes, it is, but pooling is disabled (i.e. the to-server connection is
"pinned" to the from-client connection) due to security concerns
discussed above.
Alex.
More information about the squid-users
mailing list