Thanks for the highlight, it sounds more difficult to me since i just started with this caching field. But since now most sites are requiring HTTPS connection (even google search is using https) not to mention social sites and most mobile devices are recommend to use https before fallback to http if not supported, that does make caching https content is needed instead of passing thru ATS. Anyway, i like the ATS project (maybe because i like Leif Hedstrom presentation during LISA) and the potential as squid competitor. These project helps admins in controlling the expensive bandwidth as Leif always says 'Cache is King'.
On Thu, Apr 18, 2013 at 12:37 PM, Alan M. Carroll < a...@network-geographics.com> wrote: > Wednesday, April 17, 2013, 9:32:19 PM, you wrote: > > > Its an explicit forward proxy, not transparent. If i want to cache then > i have to use the SSL termination, right ? Anyway, am using the > connect_ports solution and set the CONFIG proxy.config.http.uncacheable_ > > requests_bypass_parent INT 0 so that the connection goes to parent just > like you said. But how difficult is it to cache the HTTPS connection ? > > Yes, any useful type of caching would require SSL termination. > > It is the SSL termination that is difficult. In the reverse case the set > of certificates is not only finite but controlled by the same operation > (e.g., if Yahoo! puts ATS with SSL termination in front of its servers, > copying the certificates to ATS is simple). > > The forward case is far more difficult in both these respects because you > don't know what certificates you need and you don't own them even if you > do. I can't recommend the attempt to anyone who is not quite experience > with SSL, certificates, and authority chains. It's not something that could > be dealt with via just email. > > For example, if a client connects to https://fidelity.com, to terminate > the connection and cache it ATS would need to have installed on the ATS box > an SSL certificate that client browser would accept as a valid Fidelity > certificate. > > It might be even worse, in that the browser forces the use of CONNECT (and > not GET) for HTTPS connections. I'm not sure ATS will handle that in a way > that would support caching. > >
