Re: [squid-users] Basic questions on transparent/intercept proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 30 Jul 2013 23:04:46 +1200

On 30/07/2013 9:28 p.m., csn233 wrote:
>> Please use "reply all" instead of "reply"!
>>
>> For intercepted proxy, you only use HTTP/HTTPS interception. So browser
>> will access FTP site directly. (Unless you have blocked/redirected FTP port)
>>
>> Amm.
> Clicked wrong button... It's to do with the requirement to log all
> traffic, including FTP, as well as the caching benefits.

As stated that requirement is impossible to implement via Squid. You
need to chop it down to a smaller size. In particular there are many
overheads in the TCP/IP layer and in other non-HTTP protocols which
Squid cannot measure nor log. Only the system firewall and related
Layer-2 software has sufficient access to all the information a full
measurement needs.

For all protocols other than plain-text HTTP there are *no* caching
benefits from Squid. Squid will simply *add* overheads of processing and
possibly some few hundred bytes necessary to setup CONNECT tunnels to
peers. Unless you are using ssl-bump to decrypt HTTPS into plain-text
HTTP for Squids usage it is also one of those other protocols where you
get no caching benefit - because everything a cache needs to use is
locked away inside the encryption.

NP: adding SSL-bump just to get a measurement is a very bad reason to do
it on a production proxy. Better to accept that HTTPS has no cache gains
and leave it for now.

Amos
Received on Tue Jul 30 2013 - 11:05:21 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 30 2013 - 12:00:27 MDT