ons 2006-07-12 klockan 12:44 +0800 skrev Steven Wilton:
> I've just been looking at installing squid2.6 on our proxy servers, but came
> across a couple of problems. The attached patch fixes these. The first
> part of the patch enables NTLM auth even when pipeline_prefetch is enabled.
> I've just had a quick check, and it looks like this is not a problem (at
> least when the request is transparent). There may be something I've not
> considered, and I can understand if this part of the patch is not applied,
> but I would be interested to hear why.
Connection pinning and pipeline_prefetch is mutually exclusive because
prefetching will run multiple requests in parallell on different server
connections. I had hoped to make this condition per connection, but the
parser is a bit too hungry to do this reliable.
For similar reasons local NTLM auth is also considered mutually
exclusive with prefetching, as the state machine has not been audited
for what happens if a client tries to pipeline requests halfway thru a
NTLM handshake.
Note: pipeline prefetching is very very experimental and often causes
problems, and have many times seriously considered ripping it out. The
current design is quite broken, in part due to trying to comply with
slightly conflicting sections in the RFCs.
Not applied.
> The second part stops squid from sending bad headers for NTLM authenticated
> requests on transparent connections (due to the addition of the transparent
> flag in squid 2.6).
OK. Applied.
> The third part of the patch allows squid to increase the number of fd's
> beyond 1024 when tproxy is enabled. It looks like a different set of logic
> has been applied to tools.c to include <sys/capability.h> and <sys/prctl.h>.
> I don't know if this will work in main.c. Applying the same include logic
> to main.c may be considered a better solution.
Hmm.. who is redefining __FD_SETSIZE under our feets? It's already
defined by including squid.h. Ah, linux/posix_types.h has obsolete
kernel definitions.. (the kernel no longer uses fd_set). It's
__kernel_fd_set definition also gets wrong, but this type is not used by
anyone so...
Redefining it like this isn't entirely safe as there may have been type
declarations dependent on in in the included headers. But hopefully
those where included by squid.h before it got redefined...
Ah, there it is. We should be including sys/capability.h, not
linux/capability.h. The sys header already have the needed glue to not
collide with glibc. Fixed.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:02 MDT