Actually, I proposed two solutions. While the bash script is messy I will admit, the optimal solution of having a parent and child proxy is rather elegant, fault tolerant, and works without issue. The child proxy simply ignores and bypasses the parent proxy while the reload procedure is underway, and resumes passing traffic through it when it is ready to serve requests. You should try it.
I fail to see that the proposed temporary-redirect-to-other-squid-server works and is cost effective (solution 1). Does it work? - what about the CONNECT tunnels ? no, they break - what about the persistent HTTP connections ? no, they break - changing iptables rules is error prone since there is a split second where the rules are removed. Is it cost effective? - a secondary Squid server has an estimated cost between USD 2,000 and USD 10,000. The zero-cost alternative is using ufdbGuard. About solution 2: Consider the following scenario: Suppose the parent proxy configuration must be reloaded. What mechanism will be used to signal the child proxy to ignore the parent? - reload its configuration? No, reconfiguration of the client stops all traffic. - simply let the connection to the parent fail? this will lead to timeouts and everything in progress fails. - use more than 1 parent? can be done but is no cost effective since one needs an extra Squid server and still everything in progress fails. If I am missing something, please explain how the child ignores the parent without interruption of service. Marcus
- Signed, Fix Nichols http://www.squidblacklist.org