On 03/17/2015 04:32 PM, Brendan Kearney wrote:
On Tue, 2015-03-17 at 16:13 -0300, Marcus Kool wrote:
it has a configuration option to respond with
'allow all' during a reconfiguration.
a Fail-Open policy can be a security gap, and should be considered
carefully before implementing. the intention of the whitelisted URLs is
to prevent access to content that is otherwise forbidden. failing open,
even briefly, undermines that control. what is the default setting
there?
The default is 'allow all' and can be changed into 'deny all'.
Neither is perfect.
Another related parameter is url-lookup-delay-during-database-reload
which, if set, artificially gives a slow response which significantly
reduces the number of URL queries in the reconfiguration interval.
One can also do the haproxy failover scenario with ufdbguard.
1 load balance using squid1 and squid2
2 load balancer: use squid1 only for new connections and wait 2 seconds
3 ufdbguard2/squid2: ufdbguardd reload and wait 10 seconds
4 load balancer: use squid2 only for new connections and wait 2 seconds
5 ufdbguard1/squid1: ufdbguardd reload and wait 10 seconds
6 load balance using squid1 and squid2
in state 2 existing connections on squid2 are left alone and no new requests come in so it is safe to reconfigure ufdbguard
same for state 4
Marcus
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
