On 5/04/2014 10:55 a.m., Rafael Akchurin wrote: > Hi Waldemar, > > Offload filtering to external ICAP server that can be dynamically > (re)configured to allow/block based on users authentication/IPs? In > that case teacher adjusted the ICAP server's config, leaving Squid's > configuration intact. New requests through the same connections are > blocked after "switch". > The same thing applies to Squid with a reconfigure. All *new* requests are blocked but existing ones are completed. > Raf > > -----Original Message----- > From: Waldemar Brodkorb > > Hi Squid community, > > we provide a Linux router with a sandwich setup using squid 3 and > dansguardian for german schools. The configuration of ACL's is > configured in a Windows ADS server and can be dynamically > reconfigured with a management application. When a teacher for > example configures to allow access to the internet with black listing > some sites, the management application connects to the Linux router > via secure shell and executes "/etc/init.d/squid3 reload" to make the > changes an effect. > > This worked fine for a long time with windows xp clients and internet > explorer 7/8 using NTLM authentication. > > But nowadays Mozilla Firefox, Safari, Internet Explorer 9/10 and > Chrome is getting more in use. The first problem is that the static > configuration of 5 ntlm authentication helpers is a bit too small. > Most of the browsers trying to open 7-10 connections to the proxy in > parallel while surfing just one website. This kills squid with the > too many authentications error. > > To fix this problem I updated the Linux router software > (Debian/Knoppix derivate) to use Squid 3.4.x which dynamically starts > more ntlm auth helpers when needed. This worked fine in our tests. > > Now comes the second problem, when the teacher reconfigures the proxy > to close the allowed connections for one class, all opened > connections are still alive. I think the reason is that we use the > default persistent connections for server and client. > > When we disable it, the access to the internet is directly closed, > but the entire performance of the proxy seems to be bad. > > And it is no solution for any connections, which using SPDY. > HTTPS and SPDY is becoming more of a problem since popular websites are moving to use it and CONNECT tunnels wrap the entire session in HTTP as a single request. > What do you think? What might be a solution to this problem? I can't > restart squid when changing the ACL rules, because then all users in > the network would be disconnected. You could set the request_timeout to be short. This would make the CONNECT requests terminate after a few minutes. You could also use SSL-bump feature in Squid. This has a double benefit of allowing the control software acting on the HTTPS requests and preventing SPDY etc. being used by the browser. Amos
