Pre-warm TLS Tunnel

[masaori335]

Abstract

On TLS Forward Tunnel or TLS Partial Blind Tunnel, clients always have to wait while ATS establishes connections with origin servers. An idea to fix this issue is "pre-warm" connections between ATS and origin servers before clients make requests to ATS.

The overview is below.

Using the pre-warmed connection, clients can establish TLS Forward Tunnel or TLS Partial Blind Tunnel immediately. We can expect this improves time to first byte drastically.

Status/Plan

We're testing this concept, and we found some related features are required. The development branch becomes bigger than expected includes these features, so I'll break it down into PRs per feature. All PRs will be linked to this issue.

Features

• Log negotiated ALPN: Add new log field for negotiated ALPN Protocol ID with the client #7491
• ALPN Support on TLS Partial Blind Tunnel: Add ALPN support on TLS Partial Blind Tunnel #7511
• Outbound ProxyProtocol v1/v2: Outbound PROXY Protocol Support #7444
• Pristine SNI: Add server_name option to proxy.config.ssl.client.sni_policy #7533
• Overwrite SNI Policy from sni.yaml: Override proxy.config.ssl.client.sni_policy from sni.yaml #7703
• Dynamic Stats: Add DynamicStats #7704
• Active Tunnel Stats: Add current active SNI Routing Tunnel stats #8323
• Pre-warm TLS Tunnel: Add Pre-warm TLS Tunnel #7661

Related PRs

• Cleanup Cleanup: Add SNIRoutingType #7453