Search squid archive

Re: how to dynamically reconfigure squid?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/04/2014 10:55 a.m., Rafael Akchurin wrote:
> Hi Waldemar,
> 
> Offload filtering to external ICAP server that can be dynamically
> (re)configured to allow/block based on users authentication/IPs? In
> that case teacher adjusted the ICAP server's config, leaving Squid's
> configuration intact. New requests through the same connections are
> blocked after "switch".
> 

The same thing applies to Squid with a reconfigure. All *new* requests
are blocked but existing ones are completed.

> Raf
> 
> -----Original Message-----
> From: Waldemar Brodkorb
> 
> Hi Squid community,
> 
> we provide a Linux router with a sandwich setup using squid 3 and
> dansguardian for german schools. The configuration of ACL's is
> configured in a Windows ADS server and can be dynamically
> reconfigured with a management application. When a teacher for
> example configures to allow access to the internet with black listing
> some sites, the management application connects to the Linux router
> via secure shell and executes "/etc/init.d/squid3 reload" to make the
> changes an effect.
> 
> This worked fine for a long time with windows xp clients and internet
> explorer 7/8 using NTLM authentication.
> 
> But nowadays Mozilla Firefox, Safari, Internet Explorer 9/10 and
> Chrome is getting more in use. The first problem is that the static
> configuration of 5 ntlm authentication helpers is a bit too small.
> Most of the browsers trying to open 7-10 connections to the proxy in
> parallel while surfing just one website. This kills squid with the
> too many authentications error.
> 
> To fix this problem I updated the Linux router software
> (Debian/Knoppix derivate) to use Squid 3.4.x which dynamically starts
> more ntlm auth helpers when needed. This worked fine in our tests.
> 
> Now comes the second problem, when the teacher reconfigures the proxy
> to close the allowed connections for one class, all opened
> connections are still alive. I think the reason is that we use the
> default persistent connections for server and client.
> 
> When we disable it, the access to the internet is directly closed,
> but the entire performance of the proxy seems to be bad.
> 
> And it is no solution for any connections, which using SPDY.
>

HTTPS and SPDY is becoming more of a problem since popular websites are
moving to use it and CONNECT tunnels wrap the entire session in HTTP as
a single request.

> What do you think? What might be a solution to this problem? I can't
> restart squid when changing the ACL rules, because then all users in
> the network would be disconnected.

You could set the request_timeout to be short. This would make the
CONNECT requests terminate after a few minutes.

You could also use SSL-bump feature in Squid. This has a double benefit
of allowing the control software acting on the HTTPS requests and
preventing SPDY etc. being used by the browser.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux