> Please also note that I also tried using Squid + Stunnel to achieve
> secure user authentication, according to these directions:
> http://www.jeffyestrumskas.com/index.php/how-to-setup-a-secure-web-proxy-using-ssl-encryption-squid-caching-proxy-and-pam-authentication/
> (except that I used ldap auth on the backend).
>
> It worked, but performance was *very* slow (practically awful), and I
> couldn't find any solution to improve performance. Squid without stunnel
> worked like a breeze (but without secure/encrypted user authentication)...
I don't know who tought inventing to tunnel TCP inside TCP is a good idea, but it is not. There is all sorts of race conditions when congestion causes retransmission of packets.
I don't know if stunnel uses TCP or not.
But OpenVPN has an option to use TCP. You will find that VPN over UDP is 3 times faster tha VPN over TCP.
All is not vain, though. There is a kernel option not to not combine packets to bigger chunks and send them immediately as smaller chunks. OpenVPN option "tcp-nodelay" activates that and i can reach almost UDP speeds with TCP.
I would check if something similiar exists for stunnel.
Jenny
Received on Tue Sep 20 2011 - 17:58:16 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 21 2011 - 12:00:02 MDT