Re: [squid-users] SSL traffic

From: Víctor José Hernández Gómez <vjhergom_at_cic.upo.es>
Date: Tue, 05 Apr 2011 11:40:50 +0200

El 05/04/11 10:31, Amos Jeffries escribió:
> On 05/04/11 20:01, Víctor José Hernández Gómez wrote:
>> Dear squid users,
>>
>> we remember to have measured the percentage of bandwitch devoted to SSL
>> in our squid installation, and it was about 10 percent of total traffic.
>>
>> SSL is not cacheable, and I think its use is increasing. I wonder if
>> there is any experience with squid software using SSL engines (hardware
>> devices) via openssl to get a better behaviour (that is, better
>> perfomance) of SSL traffic.
>
> What do you think Squid would do with such hardware? HTTPS traffic is
> encrypted/decrypted by the client and server. Squid just shuffles their
> pre-encrypted bytes to and fro.

I thought that --enable-ssl and --with-openssl compilation options would
provide squid with the ability to use openssl functions to treat SSL
traffic. In such a case, operating with hardware instead of software
would accelerate squid. I see that is not the case.

>> Any other idea regarding SSL treatment would be very welcome (parameter
>> tuning either on SO, squid, or openssl, etc..)

>> If Squid is peritted to see the HTTP reuqets inside the SSL they are
> usually as cacheable as non-SSL requests.
>
> Please help us encourage the browser developers to make SSL links to a
> trusted SSL-enabled proxy and pass the requests to it. Then we can all
> benefit from improved HTTPS speeds.
>
>
> For now the tunneling Squid perform as good as non-caching proxies. Or
> in situations where ssl-bump feature can be used they work slower but
> with cache HITs being possible.
>
Thank you for your help.

-- 
Víctor J. Hernández Gómez
Received on Tue Apr 05 2011 - 09:40:57 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 05 2011 - 12:00:02 MDT