Re: [squid-users] SSL traffic
On 05/04/11 20:01, Víctor José Hernández Gómez wrote: Dear squid users, we remember to have measured the percentage of bandwitch devoted to SSL in our squid installation, and it was about 10 percent of total traffic. SSL is not cacheable, and I think its use is increasing. I wonder if there is any experience with squid software using SSL engines (hardware devices) via openssl to get a better behaviour (that is, better perfomance) of SSL traffic. What do you think Squid would do with such hardware? HTTPS traffic is encrypted/decrypted by the client and server. Squid just shuffles their pre-encrypted bytes to and fro. Any other idea regarding SSL treatment would be very welcome (parameter tuning either on SO, squid, or openssl, etc..) If Squid is peritted to see the HTTP reuqets inside the SSL they are usually as cacheable as non-SSL requests. Please help us encourage the browser developers to make SSL links to a trusted SSL-enabled proxy and pass the requests to it. Then we can all benefit from improved HTTPS speeds. For now the tunneling Squid perform as good as non-caching proxies. Or in situations where ssl-bump feature can be used they work slower but with cache HITs being possible. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.6
Re: [squid-users] SSL traffic
El 05/04/11 10:31, Amos Jeffries escribió: On 05/04/11 20:01, Víctor José Hernández Gómez wrote: Dear squid users, we remember to have measured the percentage of bandwitch devoted to SSL in our squid installation, and it was about 10 percent of total traffic. SSL is not cacheable, and I think its use is increasing. I wonder if there is any experience with squid software using SSL engines (hardware devices) via openssl to get a better behaviour (that is, better perfomance) of SSL traffic. What do you think Squid would do with such hardware? HTTPS traffic is encrypted/decrypted by the client and server. Squid just shuffles their pre-encrypted bytes to and fro. I thought that --enable-ssl and --with-openssl compilation options would provide squid with the ability to use openssl functions to treat SSL traffic. In such a case, operating with hardware instead of software would accelerate squid. I see that is not the case. Any other idea regarding SSL treatment would be very welcome (parameter tuning either on SO, squid, or openssl, etc..) If Squid is peritted to see the HTTP reuqets inside the SSL they are usually as cacheable as non-SSL requests. Please help us encourage the browser developers to make SSL links to a trusted SSL-enabled proxy and pass the requests to it. Then we can all benefit from improved HTTPS speeds. For now the tunneling Squid perform as good as non-caching proxies. Or in situations where ssl-bump feature can be used they work slower but with cache HITs being possible. Thank you for your help. -- Víctor J. Hernández Gómez
Re: [squid-users] SSL traffic
On 05/04/11 21:40, Víctor José Hernández Gómez wrote: El 05/04/11 10:31, Amos Jeffries escribió: On 05/04/11 20:01, Víctor José Hernández Gómez wrote: Dear squid users, we remember to have measured the percentage of bandwitch devoted to SSL in our squid installation, and it was about 10 percent of total traffic. SSL is not cacheable, and I think its use is increasing. I wonder if there is any experience with squid software using SSL engines (hardware devices) via openssl to get a better behaviour (that is, better perfomance) of SSL traffic. What do you think Squid would do with such hardware? HTTPS traffic is encrypted/decrypted by the client and server. Squid just shuffles their pre-encrypted bytes to and fro. I thought that --enable-ssl and --with-openssl compilation options would provide squid with the ability to use openssl functions to treat SSL traffic. In such a case, operating with hardware instead of software would accelerate squid. I see that is not the case. They do. For the traffic which is destined directly to Squid (https_port) and out of Squid (from plain-HTTP requests with https:// URL), and for ssl-bump manipulations. But not for CONNECT tunnels, which is what browsers usually wrap HTTPS inside. Any other idea regarding SSL treatment would be very welcome (parameter tuning either on SO, squid, or openssl, etc..) If Squid is peritted to see the HTTP reuqets inside the SSL they are usually as cacheable as non-SSL requests. Please help us encourage the browser developers to make SSL links to a trusted SSL-enabled proxy and pass the requests to it. Then we can all benefit from improved HTTPS speeds. For now the tunneling Squid perform as good as non-caching proxies. Or in situations where ssl-bump feature can be used they work slower but with cache HITs being possible. Thank you for your help. Welcome. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.6
Re: [squid-users] SSL Traffic Monitoring
Hello, This is a tricky one: 1. Traffic is encrypted so any attempt to proxy the traffic could be consider a man in the middle attack. - apparently there was a ssl patch or in a future version of squid you will be able to filter / log HTTPS connections. Right now I am using the following method: # CONNECT proto - allow goodsites acl goodsslsites dstdom_regex /tmp/ssl_sites http_access deny !goodsslsites goodhttps I have another filter that only allows the CONNECT method on port 443. In my ssl_sites file is a list of domains that company employees need access to. I have added in all banks and a few requested sites (once they where verified to be work related). This was done to block people from running SSL tunnels over port 443 to gain access to non approved work applications. Then on port 80 only allow HTTP traffic. Michael. On Wed, 4 Aug 2004 17:20:15 -0400 McDonald, Rob [EMAIL PROTECTED] wrote: I am looking to start caching SSL traffic, so I can make the content conform to company HR policies. There are commercial products that do this. I was wondering what the Squid crowd was doing for this issue? Thanks, Rob -- Michael Gale Network Administrator Utilitran Corporation
Re: [squid-users] SSL Traffic Monitoring
On Wed, 4 Aug 2004, McDonald, Rob wrote: I am looking to start caching SSL traffic, so I can make the content conform to company HR policies. There are commercial products that do this. I was wondering what the Squid crowd was doing for this issue? Generally HTTPS traffic can not be cached due to the encryption. Technically it is possible to implement a decrypting proxy using spoofed server certificates issued by the proxy, but this has not yet been implemented in Squid. The technical drawbacks from doing this is - End-to-end is violated, making it impossible to use/access sites requiring client side SSL certificates for authentication. - User no longer is given the choice of trusting or denying access to sites not having a valid certificate. The company policy set in the proxy applies to all. - User no longer can inspect the servers certificate to determine if the site is trustworthy or not. - Not yet implemented in Squid, so to do this it first needs to be implemented in the Squid code. If you want to discuss how this may be implemented in Squid please contact [EMAIL PROTECTED] Regards Henrik