When working with Squid proxy servers in development environments, many engineers encounter an odd phenomenon: HTTPS connections via CONNECT take significantly longer to establish than HTTP connections. From my logs:
1416064327.076 49702 192.168.12.10 TCP_MISS/200 1373585 CONNECT r2---sn-q4f7sn7l.googlevideo.com:443
1416064691.281 68 192.168.12.10 TCP_MISS/200 412 GET http://serverfault.com/questions/ticks?Through packet analysis, I discovered the primary culprit:
11:03:08.973995 IP 192.168.12.95.34778 > 62.213.85.4.443: Flags [S]
11:03:09.180753 IP 62.213.85.4.443 > 192.168.12.95.34778: Flags [S.]The 206.8ms TCP handshake versus Squid's reported 732ms latency points to DNS resolution overhead. Testing directly with Google's DNS showed stark contrast:
$ time nslookup russiatoday.com 8.8.8.8
real 0m0.056sTo optimize DNS resolution in Squid, make these adjustments to squid.conf:
# Enable aggressive DNS caching
dns_nameservers 8.8.8.8 8.8.4.4
positive_dns_ttl 6 hours
negative_dns_ttl 30 seconds
dns_timeout 5 secondsFor development environments using BIND9 locally, add:
# BIND9 specific optimizations
dns_v4_first on
dns_defnames offTo maintain persistent HTTPS connections:
# Squid connection management
client_persistent_connections on
server_persistent_connections on
pconn_timeout 120 secondsAfter implementing these changes, test with:
echo -e -n 'CONNECT example.com:443\\r\\n\\r\\n' | nc proxy.example.com 3127
tcpdump -i eth0 -nn 'host example.com and port 443' -w https_connect.pcapCompare the timings before and after configuration changes. The second CONNECT request should now complete in under 200ms consistently.
For developers running their own proxy servers, these sysctl tweaks help:
# Increase TCP window sizes
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# Improve connection handling
net.ipv4.tcp_max_syn_backlog = 8192
net.core.somaxconn = 8192When working with Squid proxy in a caching configuration, I noticed significant latency specifically with HTTPS CONNECT tunnels. While regular HTTP traffic via GET requests showed excellent performance (typically under 100ms), HTTPS connections often exhibited delays exceeding 60,000ms for the initial connection.
The key observation from Squid logs showed a pattern where:
1416064327.076 49702 192.168.12.10 TCP_MISS/200 1373585 CONNECT r2---sn-q4f7sn7l.googlevideo.com:443
1416064345.018 63250 192.168.12.10 TCP_MISS/200 545 CONNECT mtalk.google.com:5228
Manual testing revealed the DNS resolution component was responsible for most of the latency:
1416072432.918 580 776 192.168.12.10 TCP_MISS/200 0 CONNECT russiatoday.com:443
1416072446.823 - 185 192.168.12.10 TCP_MISS/200 0 CONNECT russiatoday.com:443
Squid handles DNS resolution differently for CONNECT tunnels compared to regular HTTP traffic. The proxy needs to resolve the destination hostname before establishing the tunnel. When using a local BIND9 resolver forwarding to Google DNS (8.8.8.8), we observed ~500ms overhead that shouldn't exist:
# Direct DNS query timing
$ time nslookup russiatoday.com 8.8.8.8
real 0m0.056s
Several approaches can optimize this behavior:
1. Enable Squid's Internal DNS Cache
Add these directives to squid.conf:
dns_nameservers 8.8.8.8 8.8.4.4
positive_dns_ttl 1 hour
negative_dns_ttl 1 minute
2. Bypass Local DNS Forwarder
For systems using BIND9 as a forwarder:
# In named.conf.options
forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;
3. Implement DNS Prefetching
For Chrome specifically, you can enable predictive actions:
chrome --proxy-server="http://your-squid:3128" --dns-prefetch-disable=false
After implementing these changes, test with:
echo -e -n 'CONNECT example.com:443\\r\\n\\r\\n' | nc squid-proxy 3128
time curl -x http://squid-proxy:3128 https://example.com
The latency for initial HTTPS connections should now be comparable to direct DNS resolution times.
For environments with heavy HTTPS traffic:
# In squid.conf
connect_timeout 30 seconds
pconn_timeout 120 seconds
Monitor performance with:
squidclient mgr:5min
squidclient mgr:dns