Re: [squid-users] Secure Web Proxy Stress Testing

2018-04-16 Thread Alex Rousskov 
On 04/14/2018 12:08 PM, Panagiotis Bariamis wrote:

> On Tue, Apr 10, 2018, 21:11 Alex Rousskov wrote:
>> Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
>> supports the combination of the two: TLS inside TLS (because HTTP/2
>> support essentially required that). I am not sure about Polygraph v4.
>> The workload I sketched uses HTTPS proxies and plain origin servers.


> I am trying to use Polygraph as suggested .
> However  squid servers are part of the University Network so
> routing changes are not possible as suggested by polymix-4.pg
> Which test you think I should use without routing changes (poly
> server and client will have just a public ip and the regular
> loopback inteface)  ?

This mailing list is not the right place for Polygraph support[1], but I
recommend writing your own workload for your own tests: Start with
simple.pg, use the IP addresses you want to use, and then add more bells
and whistles as needed (and as you get comfortable with the tool), one
change at a time. This is the approach used by the tutorial[2] as well.

  [1] http://lists.web-polygraph.org/mailman/listinfo/users
  [2] http://www.web-polygraph.org/test/docs/userman/simple.html


Cheers,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Secure Web Proxy Stress Testing

2018-04-14 Thread Panagiotis Bariamis 
Thank you ,
Bariamis Panagiotis

On Tue, Apr 10, 2018 at 10:14 PM, Panagiotis Bariamis 
wrote:

> Thank you for the clarification.
>
> On Tue, Apr 10, 2018, 21:11 Alex Rousskov  com> wrote:
>
>>
>>
>> >Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
>> >supports the combination of the two: TLS inside TLS (because HTTP/2
>> >support essentially required that). I am not sure about Polygraph v4.
>> >The workload I sketched uses HTTPS proxies and plain origin servers.
>>
>>
>> Hello Alex ,
>> I am trying to use Polygraph as suggested .
>> However  squid servers are part of the University Network so routing
>> changes are not possible as suggested by polymix-4.pg.
>> Which test you think I should use without routing changes (poly server
>> and client will have just a public ip and the regular loopback inteface)  ?
>>
>>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Secure Web Proxy Stress Testing

2018-04-10 Thread Panagiotis Bariamis 
Thank you for the clarification.

On Tue, Apr 10, 2018, 21:11 Alex Rousskov 
wrote:

> On 04/10/2018 11:24 AM, Panagiotis Bariamis wrote:
> > Thank you for your answer  but as far as I can understand this setup is
> > for a regular proxy that just proxies https protocol with http connect
> > headers (unencrypted traffic between client and proxy on http connect
> > request ) .
>
> Your understanding is incorrect: All the traffic between the client and
> the proxy is encrypted in that test.
>
>
> > Secure web proxy encrypts traffic between client and proxy
>
> Yes, and that is what the Polygraph workload sketch tests. The Squid
> port for that workload is an https_port, not an http_port.
>
>
> > meaning that you have an http connect request inside a tls tunnel.
>
> Yes, if the origin server is talking TLS. Just like a regular HTTP
> proxy, an HTTPS proxy can proxy both plain and encrypted origin server
> traffic. The latter requires a CONNECT tunnel. Whether the origin server
> talks HTTP or HTTPS is a separate variable/issue, unrelated to whether
> the client-proxy communication itself is secured.
>
> Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
> supports the combination of the two: TLS inside TLS (because HTTP/2
> support essentially required that). I am not sure about Polygraph v4.
> The workload I sketched uses HTTPS proxies and plain origin servers.
>
>
> HTH,
>
> Alex.
>
>
>
> > On Tue, Apr 10, 2018, 17:22 Alex Rousskov wrote:
> >
> > On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
> > > Is there any stress testing tool to test with a load of 1k to 5k
> > > simultaneous connections ?
> >
> > Web Polygraph (www.web-polygraph.org )
> > supports HTTPS proxies and can
> > create thousands of concurrent connections. Below is a PGL
> configuration
> > snippet from a recent HTTPS proxy test in our lab.
> >
> > HTH,
> >
> > Alex.
> >
> >
> > SslWrap sslWrap = {
> > ssl_config_file = "openssl.conf";
> > root_certificate = "CA-priv+pub.pem";
> > session_resumption = 70%;
> > session_cache = 100;
> > };
> >
> > Server S = {
> > // no ssl_wraps here unless you want to test TLS inside TLS
> > ...
> > };
> >
> > Proxy P = {
> > addresses = [ ... HTTPS proxy address ... ];
> > ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
> > };
> >
> > Robot R = {
> > ssl_wraps = [ sslWrap ]; // an HTTPS-capable client
> >
> > origins = S.addresses;
> > http_proxies = P.addresses;
> >
> > ...
> > };
> >
> > use(S,P,R);
> >
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Secure Web Proxy Stress Testing

2018-04-10 Thread Alex Rousskov 
On 04/10/2018 11:24 AM, Panagiotis Bariamis wrote:
> Thank you for your answer  but as far as I can understand this setup is
> for a regular proxy that just proxies https protocol with http connect
> headers (unencrypted traffic between client and proxy on http connect
> request ) .

Your understanding is incorrect: All the traffic between the client and
the proxy is encrypted in that test.


> Secure web proxy encrypts traffic between client and proxy

Yes, and that is what the Polygraph workload sketch tests. The Squid
port for that workload is an https_port, not an http_port.


> meaning that you have an http connect request inside a tls tunnel. 

Yes, if the origin server is talking TLS. Just like a regular HTTP
proxy, an HTTPS proxy can proxy both plain and encrypted origin server
traffic. The latter requires a CONNECT tunnel. Whether the origin server
talks HTTP or HTTPS is a separate variable/issue, unrelated to whether
the client-proxy communication itself is secured.

Polygraph supports HTTPS proxies and HTTPS servers. IIRC, Polygraph v5
supports the combination of the two: TLS inside TLS (because HTTP/2
support essentially required that). I am not sure about Polygraph v4.
The workload I sketched uses HTTPS proxies and plain origin servers.


HTH,

Alex.



> On Tue, Apr 10, 2018, 17:22 Alex Rousskov wrote:
> 
> On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
> > Is there any stress testing tool to test with a load of 1k to 5k
> > simultaneous connections ?
> 
> Web Polygraph (www.web-polygraph.org )
> supports HTTPS proxies and can
> create thousands of concurrent connections. Below is a PGL configuration
> snippet from a recent HTTPS proxy test in our lab.
> 
> HTH,
> 
> Alex.
> 
> 
> SslWrap sslWrap = {
>     ssl_config_file = "openssl.conf";
>     root_certificate = "CA-priv+pub.pem";
>     session_resumption = 70%;
>     session_cache = 100;
> };
> 
> Server S = {
>     // no ssl_wraps here unless you want to test TLS inside TLS
>     ...
> };
> 
> Proxy P = {
>     addresses = [ ... HTTPS proxy address ... ];
>     ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
> };
> 
> Robot R = {
>     ssl_wraps = [ sslWrap ]; // an HTTPS-capable client
> 
>     origins = S.addresses;
>     http_proxies = P.addresses;
> 
>     ...
> };
> 
> use(S,P,R);
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Secure Web Proxy Stress Testing

2018-04-10 Thread Panagiotis Bariamis 
Thank you for your answer  but as far as I can understand this setup is for
a regular proxy that just proxies https protocol with http connect headers
(unencrypted traffic between client and proxy on http connect request ) .
Secure web proxy encrypts traffic between client and proxy meaning that you
have an http connect request inside a tls tunnel.

On Tue, Apr 10, 2018, 17:22 Alex Rousskov 
wrote:

> On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
> > Is there any stress testing tool to test with a load of 1k to 5k
> > simultaneous connections ?
>
> Web Polygraph (www.web-polygraph.org) supports HTTPS proxies and can
> create thousands of concurrent connections. Below is a PGL configuration
> snippet from a recent HTTPS proxy test in our lab.
>
> HTH,
>
> Alex.
>
>
> SslWrap sslWrap = {
> ssl_config_file = "openssl.conf";
> root_certificate = "CA-priv+pub.pem";
> session_resumption = 70%;
> session_cache = 100;
> };
>
> Server S = {
> // no ssl_wraps here unless you want to test TLS inside TLS
> ...
> };
>
> Proxy P = {
> addresses = [ ... HTTPS proxy address ... ];
> ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
> };
>
> Robot R = {
> ssl_wraps = [ sslWrap ]; // an HTTPS-capable client
>
> origins = S.addresses;
> http_proxies = P.addresses;
>
> ...
> };
>
> use(S,P,R);
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Secure Web Proxy Stress Testing

2018-04-10 Thread Alex Rousskov 
On 04/10/2018 06:31 AM, Panagiotis Bariamis wrote:
> Is there any stress testing tool to test with a load of 1k to 5k
> simultaneous connections ?

Web Polygraph (www.web-polygraph.org) supports HTTPS proxies and can
create thousands of concurrent connections. Below is a PGL configuration
snippet from a recent HTTPS proxy test in our lab.

HTH,

Alex.


SslWrap sslWrap = {
ssl_config_file = "openssl.conf";
root_certificate = "CA-priv+pub.pem";
session_resumption = 70%;
session_cache = 100;
};

Server S = {
// no ssl_wraps here unless you want to test TLS inside TLS
...
};

Proxy P = {
addresses = [ ... HTTPS proxy address ... ];
ssl_wraps = [ sslWrap ]; // this is an HTTPS proxy
};

Robot R = {
ssl_wraps = [ sslWrap ]; // an HTTPS-capable client

origins = S.addresses;
http_proxies = P.addresses;

...
};

use(S,P,R);
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users