Squid Proxy Server should be the most widely-used proxy server and I have used it for more than 20 years. In the past if you inspected the content of its log files you should be able to see something like “TCP_HIT“, “TCP_MEM_HIT“, or “TCP_MISS” a lot. But you won’t be able to see so many of these nowadays. Instead you would see a lot of “TCP_TUNNEL” instances now.
What is the cause of this? The main reason is now most web traffic is served using HTTPS and this means cryptography is in place. Cryptography is a very complex subject and many big tomes have been written on it. To put it simply, with HTTPS Squid cannot see the real content (payload) of web traffic. What it can see is metadata like domain names and ip addresses and this is why you would see “TCP_TUNNEL” in the access log files. The implication is that the major function of caching is greatly reduced. Of course for traffic not served by HTTPS but by HTTP only you can still see “TCP_HIT” and the like. In the present HTTPS-dominated world Squid should just give you things like Access Control, Content Filtering, Load Balancing, Anonymity & Security.
Some people might wonder why can’t Squid just store the encrypted content and just give clients the stored content? Sadly it’s not so simple with cryptography as the content should be different each time due to the nature of the algorithm used during the protocol negotiation process. To address this and still get the benefits of caching you need to resort to a technique called SSL Bumping. SSL Bumping is just that Squid acts as a “man-in-the-middle” to intercept and decrypt HTTPS traffic between the client and the web server. One thing about this is that the client would see the certificate coming from the Squid server instead of the web server. As a result most browsers will give you a warning about this and even refuse to connect. This is because with SSL Bumping, a self-signed certificate is used and you need to put the certificate in the system’s certificate trust store to make browsers and other programs trust the self-generated certificate.
If you set your system-wide proxy server to Squid, you might break some applications as they might not allow the use of self-signed certificates. Most of those applications would be related to security (VPN and so on).
References:
- https://rasika90.medium.com/how-i-saved-tons-of-gbs-with-https-caching-41550b4ada8a
- https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/
- https://ubuntu.com/server/docs/install-a-root-ca-certificate-in-the-trust-store
- https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
