[squid-users] transparent https with delay

Alex Rousskov rousskov at measurement-factory.com
Mon Feb 10 15:38:11 UTC 2020 

On 2/10/20 6:32 AM, Yurii Kirychuk wrote:
> Is it normal that a secure connection to the site is delayed by 10-15
> seconds?

No, it is not. Most likely, you are suffering from some kind of a DNS,
IPv6, or TCP timeout.

You may be able to identify the culprit by watching DNS and TCP traffic
while reproducing the problem with a single transaction on an otherwise
idle Squid. Studying access.log may also be helpful, especially if you
add %codes reflecting DNS response times. If everything else fails,
studying cache.log with high debugging levels may be necessary (see
debug_options in squid.conf).

Alex.


> squid 4.10, transparent http/https
> 
> squid.conf
> acl localnet src 10.3.198.0/24 <http://10.3.198.0/24>
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> acl blackmails dstdom_regex "/etc/squid/blackmailssl"
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> http_access deny blackmails
> 
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> 
> dns_nameservers 10.3.198.254 10.3.105.2 10.3.100.2
> dns_v4_first on
> 
> http_port 10.3.198.226:3128 <http://10.3.198.226:3128>
> http_port 10.3.198.226:3129 <http://10.3.198.226:3129> intercept
> https_port 10.3.198.226:3130 <http://10.3.198.226:3130> intercept
> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
> connection-auth=off tls-cert=/etc/squid/squidCA.pem
> 
> tls_outgoing_options options=NO_SSLv3
> 
> acl blackmailssl ssl::server_name_regex "/etc/squid/blackmailssl"
> acl step1 at_step SslBump1
> 
> sslcrtd_program /usr/lib/squid/security_file_certgen -s
> /usr/lib/squid/ssl_db -M 8MB
> 
> ssl_bump peek step1
> acl blackmailssl ssl::server_name_regex "/etc/squid/blackmailssl"
> ssl_bump splice !blackmailssl
> ssl_bump terminate all
> 
> cache_dir ufs /var/spool/squid 10240 16 256
> maximum_object_size 1024 KB
> 
> coredump_dir /var/spool/squid
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list