On Fri, 2003-01-17 at 09:27, Henrik Nordstrom wrote:
> tor 2003-01-16 klockan 21.02 skrev Robert Collins:
> > On Fri, 2003-01-17 at 02:12, Henrik Nordstrom wrote:
> >
> >
> > > Having the helpers sit idle only because they are blocked by a client
> > > thinking about how to send the auth packet is a big waste, and very
> > > easily ends up in a DoS condition where all helpers are made busy unless
> > > the number of helpers is exessively large (in the range of thousands).
> >
> > We don't do this today, and I'd be very much against any change that put
> > us back into that situation.
>
> What situation? What we have today as it is not suitable for production
> use unless Squid is modified to support having thousands of ntlm helper
> children.. and I cannot say I like a design requiring the use of
> thousands of children only because some external resource outside your
> control (i.e. clients) may send you requests blocking all helpers..
You are reading the code incorrectly. We *don't* need thousands of
helper children, and we don't block the helper based on the client.
We multiplex requests from multiple NTLM authentications to each NTLM
helper. You can run with only one helper, if your helper is reasonable
fast in it's responses.
Rob
-- GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:07 MST