On 25/02/2015 4:09 a.m., Josep Borrell wrote: > Hi, > > After some digging I realized that this setup works fine for HTTP traffic but > not for HTTPS. I'm using ssl_bump in intercept mode. > Is possible that for HTTPS traffic I can't split the upload / download ? >
At the connection level Squid is performing multiplexing for the HTTP messages. They are stateless, so can be split up and delivered over any connection it finds that meet the criteria. SSL-Bump however is a single encrypted inbound stream of bytes. Squid is being a "transaprent proxy" for it by ensuring that the outbound is as closely matching the inbound behaviour as possible. All the messages that come in on an encrypted stream should be going out on a matching (singular) outgoing encryted connection. There are some unavoidable differencs for HITS, error/deny's, forged certs etc but for the most part it needs to be kept as transparent as possible to reduce HTTPS problems. For intercepted traffic you can/should do load balancing by selecting the paths for new connections rather than messages. This is a major reason why I recommend doing load balancing at the OS level where NIC load vs capacity and the additional packet overheads can be taken into account. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
