Sibling cache with ssl peek/splice/bump?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Sibling cache with ssl peek/splice/bump?

Alex Crow-2
Hi list,

Is it currently possible in v4 with bumping to have a cache_peer setup
so that https:// resources can be fetched from a peer if they are
available there?

Many thanks

Alex

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling cache with ssl peek/splice/bump?

Alex Rousskov
On 05/15/2018 08:27 AM, Alex Crow wrote:

> Is it currently possible in v4 with bumping to have a cache_peer setup
> so that https:// resources can be fetched from a peer if they are
> available there?


If I am interpreting the "if available" part of your question correctly,
then what you want is unsupported in most SslBump environments because a
bumping Squid does not receive requests for HTTP resources and, hence,
cannot check whether a resource is available somewhere. Squid receives
requests for blind TCP tunnels.

Yes, SslBump converts blind TCP tunnels into HTTP transactions, but in
nearly all practical setups, that conversion happens _after_ the TCP
connection is established and pinned to the requested server. At the TCP
connection establishment time, the HTTP resource (to be requested inside
the tunnel) is still unknown.

FWIW, with an experimental patch, you can route TCP tunnels to peers:
https://github.com/squid-cache/squid/compare/53fdd3f...measurement-factory:7a4c4ed.patch


Squid could disregard connection pinning and request the HTTP resource
by establishing a new HTTPS connection (via a secure cache_peer if
necessary). I have not tested this, but I suspect that Squid does not do
that today: After bumping, you may get local cache hits, but no
HTTP-level peering.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users