Re: problems with the squid-2.5 connection pinning

From: Steven Wilton <steven.wilton@dont-contact.us>
Date: Sat, 15 Apr 2006 13:13:47 +0800

I'm planning on deploying this patch out on our servers as soon as I get the
chance. I'll let you know how it goes.

Steven

----- Original Message -----
From: "Adrian Chadd" <adrian@creative.net.au>
To: "Steven Wilton" <swilton@q-net.net.au>
Cc: <squid-dev@squid-cache.org>
Sent: Saturday, April 15, 2006 12:53 PM
Subject: Re: problems with the squid-2.5 connection pinning

> Are you planning on running this version of the patch (and the tproxy
> support)
> on your production caches any time soon?
>
> I'd like to place this on my proxy servers but I don't want to be a beta
> tester. Not yet, at least. :)
>
>
>
> Adrian
>
> On Sat, Apr 15, 2006, Steven Wilton wrote:
>
>> We've been using a patch that allows NTLM auth to work through our
>> proxies
>> for a while now. The version we're using does depend on the tproxy patch
>> that we've also applied, and it essentially adds the client's ip address
>> and port to the pconn key when the server connection is spoofing the
>> client's ip address. As a result of using the existing pconn code, we do
>> not handle the closing of the server connection any differently from any
>> other persistent connection failing. This has not generated errors that
>> I
>> have heard of from any client using our proxy servers, and we do
>> transparently proxy all our client access to web servers.
>>
>> Having seen your patch, I've added the Proxy-Support: headers, and also
>> added a "pinning" flag to the request->flags struct to allow
>> identification
>> of a pinned connection. I've attached a modified version of the patch
>> we're using for comment, as it uses the existing persistent connection
>> methods and does not add any new sections of code that will terminate
>> connections (and this version will apply to the squid 2.5 tree without
>> needing the tproxy patch applied).
>>
>> I've not looked into the http specs to see if I'm breaking any rules
>> here,
>> but in practice we're not seeing problems with this style of connection
>> pinning.
>>
>> Steven
>
>
>
Received on Sat Apr 15 2006 - 09:18:11 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:03 MDT