Secure Web Proxy Stress Testing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Secure Web Proxy Stress Testing

Panagiotis Bariamis
Hello ,
I am trying to stress test a squid proxy (Secure Web Proxy , meaning that client to proxy connection is encrypted ) .
I tried with Jmeter but it does not support Secure Web Proxy .
To make thing clear I use squid with option https_port and clients get the config from a pac file that states return "HTTPS https://xxxxxxxx:3128";
Is there any stress testing tool to test with a load of 1k to 5k simultaneous connections ?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure Web Proxy Stress Testing

Alex Rousskov
On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
> Is there any stress testing tool to test with a load of 1k to 5k
> simultaneous connections ?

Web Polygraph (www.web-polygraph.org) supports HTTPS proxies and can
create thousands of concurrent connections. Below is a PGL configuration
snippet from a recent HTTPS proxy test in our lab.

HTH,

Alex.


SslWrap sslWrap = {
    ssl_config_file = "openssl.conf";
    root_certificate = "CA-priv+pub.pem";
    session_resumption = 70%;
    session_cache = 100;
};

Server S = {
    // no ssl_wraps here unless you want to test TLS inside TLS
    ...
};

Proxy P = {
    addresses = [ ... HTTPS proxy address ... ];
    ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
};

Robot R = {
    ssl_wraps = [ sslWrap ]; // an HTTPS-capable client

    origins = S.addresses;
    http_proxies = P.addresses;

    ...
};

use(S,P,R);
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure Web Proxy Stress Testing

Panagiotis Bariamis
Thank you for your answer  but as far as I can understand this setup is for a regular proxy that just proxies https protocol with http connect headers (unencrypted traffic between client and proxy on http connect request ) . Secure web proxy encrypts traffic between client and proxy meaning that you have an http connect request inside a tls tunnel. 

On Tue, Apr 10, 2018, 17:22 Alex Rousskov <[hidden email]> wrote:
On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
> Is there any stress testing tool to test with a load of 1k to 5k
> simultaneous connections ?

Web Polygraph (www.web-polygraph.org) supports HTTPS proxies and can
create thousands of concurrent connections. Below is a PGL configuration
snippet from a recent HTTPS proxy test in our lab.

HTH,

Alex.


SslWrap sslWrap = {
    ssl_config_file = "openssl.conf";
    root_certificate = "CA-priv+pub.pem";
    session_resumption = 70%;
    session_cache = 100;
};

Server S = {
    // no ssl_wraps here unless you want to test TLS inside TLS
    ...
};

Proxy P = {
    addresses = [ ... HTTPS proxy address ... ];
    ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
};

Robot R = {
    ssl_wraps = [ sslWrap ]; // an HTTPS-capable client

    origins = S.addresses;
    http_proxies = P.addresses;

    ...
};

use(S,P,R);

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure Web Proxy Stress Testing

Alex Rousskov
On 04/10/2018 11:24 AM, Panagiotis Bariamis wrote:
> Thank you for your answer  but as far as I can understand this setup is
> for a regular proxy that just proxies https protocol with http connect
> headers (unencrypted traffic between client and proxy on http connect
> request ) .

Your understanding is incorrect: All the traffic between the client and
the proxy is encrypted in that test.


> Secure web proxy encrypts traffic between client and proxy

Yes, and that is what the Polygraph workload sketch tests. The Squid
port for that workload is an https_port, not an http_port.


> meaning that you have an http connect request inside a tls tunnel. 

Yes, if the origin server is talking TLS. Just like a regular HTTP
proxy, an HTTPS proxy can proxy both plain and encrypted origin server
traffic. The latter requires a CONNECT tunnel. Whether the origin server
talks HTTP or HTTPS is a separate variable/issue, unrelated to whether
the client-proxy communication itself is secured.

Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
supports the combination of the two: TLS inside TLS (because HTTP/2
support essentially required that). I am not sure about Polygraph v4.
The workload I sketched uses HTTPS proxies and plain origin servers.


HTH,

Alex.



> On Tue, Apr 10, 2018, 17:22 Alex Rousskov wrote:
>
>     On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
>     > Is there any stress testing tool to test with a load of 1k to 5k
>     > simultaneous connections ?
>
>     Web Polygraph (www.web-polygraph.org <http://www.web-polygraph.org>)
>     supports HTTPS proxies and can
>     create thousands of concurrent connections. Below is a PGL configuration
>     snippet from a recent HTTPS proxy test in our lab.
>
>     HTH,
>
>     Alex.
>
>
>     SslWrap sslWrap = {
>         ssl_config_file = "openssl.conf";
>         root_certificate = "CA-priv+pub.pem";
>         session_resumption = 70%;
>         session_cache = 100;
>     };
>
>     Server S = {
>         // no ssl_wraps here unless you want to test TLS inside TLS
>         ...
>     };
>
>     Proxy P = {
>         addresses = [ ... HTTPS proxy address ... ];
>         ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
>     };
>
>     Robot R = {
>         ssl_wraps = [ sslWrap ]; // an HTTPS-capable client
>
>         origins = S.addresses;
>         http_proxies = P.addresses;
>
>         ...
>     };
>
>     use(S,P,R);
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure Web Proxy Stress Testing

Panagiotis Bariamis
Thank you for the clarification. 

On Tue, Apr 10, 2018, 21:11 Alex Rousskov <[hidden email]> wrote:
On 04/10/2018 11:24 AM, Panagiotis Bariamis wrote:
> Thank you for your answer  but as far as I can understand this setup is
> for a regular proxy that just proxies https protocol with http connect
> headers (unencrypted traffic between client and proxy on http connect
> request ) .

Your understanding is incorrect: All the traffic between the client and
the proxy is encrypted in that test.


> Secure web proxy encrypts traffic between client and proxy

Yes, and that is what the Polygraph workload sketch tests. The Squid
port for that workload is an https_port, not an http_port.


> meaning that you have an http connect request inside a tls tunnel. 

Yes, if the origin server is talking TLS. Just like a regular HTTP
proxy, an HTTPS proxy can proxy both plain and encrypted origin server
traffic. The latter requires a CONNECT tunnel. Whether the origin server
talks HTTP or HTTPS is a separate variable/issue, unrelated to whether
the client-proxy communication itself is secured.

Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
supports the combination of the two: TLS inside TLS (because HTTP/2
support essentially required that). I am not sure about Polygraph v4.
The workload I sketched uses HTTPS proxies and plain origin servers.


HTH,

Alex.



> On Tue, Apr 10, 2018, 17:22 Alex Rousskov wrote:
>
>     On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
>     > Is there any stress testing tool to test with a load of 1k to 5k
>     > simultaneous connections ?
>
>     Web Polygraph (www.web-polygraph.org <http://www.web-polygraph.org>)
>     supports HTTPS proxies and can
>     create thousands of concurrent connections. Below is a PGL configuration
>     snippet from a recent HTTPS proxy test in our lab.
>
>     HTH,
>
>     Alex.
>
>
>     SslWrap sslWrap = {
>         ssl_config_file = "openssl.conf";
>         root_certificate = "CA-priv+pub.pem";
>         session_resumption = 70%;
>         session_cache = 100;
>     };
>
>     Server S = {
>         // no ssl_wraps here unless you want to test TLS inside TLS
>         ...
>     };
>
>     Proxy P = {
>         addresses = [ ... HTTPS proxy address ... ];
>         ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
>     };
>
>     Robot R = {
>         ssl_wraps = [ sslWrap ]; // an HTTPS-capable client
>
>         origins = S.addresses;
>         http_proxies = P.addresses;
>
>         ...
>     };
>
>     use(S,P,R);
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure Web Proxy Stress Testing

Panagiotis Bariamis


Thank you ,
Bariamis Panagiotis

On Tue, Apr 10, 2018 at 10:14 PM, Panagiotis Bariamis <[hidden email]> wrote:
Thank you for the clarification. 

On Tue, Apr 10, 2018, 21:11 Alex Rousskov <[hidden email]> wrote:


>Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
>supports the combination of the two: TLS inside TLS (because HTTP/2
>support essentially required that). I am not sure about Polygraph v4.
>The workload I sketched uses HTTPS proxies and plain origin servers.


Hello Alex ,
I am trying to use Polygraph as suggested .
However  squid servers are part of the University Network so routing changes are not possible as suggested by polymix-4.pg.
Which test you think I should use without routing changes (poly server and client will have just a public ip and the regular loopback inteface)  ?



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure Web Proxy Stress Testing

Alex Rousskov
On 04/14/2018 12:08 PM, Panagiotis Bariamis wrote:

>     On Tue, Apr 10, 2018, 21:11 Alex Rousskov wrote:
>> Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
>> supports the combination of the two: TLS inside TLS (because HTTP/2
>> support essentially required that). I am not sure about Polygraph v4.
>> The workload I sketched uses HTTPS proxies and plain origin servers.


>         I am trying to use Polygraph as suggested .
>         However  squid servers are part of the University Network so
>         routing changes are not possible as suggested by polymix-4.pg
>         Which test you think I should use without routing changes (poly
>         server and client will have just a public ip and the regular
>         loopback inteface)  ?

This mailing list is not the right place for Polygraph support[1], but I
recommend writing your own workload for your own tests: Start with
simple.pg, use the IP addresses you want to use, and then add more bells
and whistles as needed (and as you get comfortable with the tool), one
change at a time. This is the approach used by the tutorial[2] as well.

  [1] http://lists.web-polygraph.org/mailman/listinfo/users
  [2] http://www.web-polygraph.org/test/docs/userman/simple.html


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users