Re: [squid-users] Massive problems with https connections to Domino Server (long) from vda on 2004-02-09 (squid-users)

From: vda <vda@dont-contact.us>
Date: Mon, 9 Feb 2004 14:29:45 +0200

On Monday 09 February 2004 13:15, Rainer Traut wrote:
> Ok, here is the output of outgoing squid if to server.
> Please notice the 5sec delay between ie standstill and complete blocked
> domino server until I close my IE.

I see ~50 connections open from squid to domino,
all of them are being closed when you close IE.

Since I do not see tcpdump between IE and squid,
I can only guess that IE, too, kept ~50 open
connections to squid. You can verify this with
tcpdump and/or by viewing squid access log.

Why IE don't do it when you go direct? I don't know.
You may do detailed tcpdumps and try to spot differences
between direct/cached cases.

BTW. Is your squid transparent?

BTW#2. Why do you proxy https traffic at all?
What are you trying to achieve?

11:04:54.751905 10.0.0.22.30945 > 217.110.232.12.https: . ack 1 win 5840 <nop,nop,timestamp 491126452 33990879> (DF)
11:04:54.759791 10.0.0.22.30944 > 217.110.232.12.https: R 211:211(0) ack 3138 win 14480 <nop,nop,timestamp 491126453 33990880> (DF)
11:04:54.767284 10.0.0.22.30952 > 217.110.232.12.https: S 1291454865:1291454865(0) win 5840 <mss 1460,sackOK,timestamp 491126454 0,nop,wscale 0> (DF)
11:04:54.767578 10.0.0.22.30952 > 217.110.232.12.https: . ack 1 win 5840 <nop,nop,timestamp 491126454 33990881> (DF)
....here you close IE...
11:05:00.532545 10.0.0.22.30938 > 217.110.232.12.https: F 71:71(0) ack 1 win 5840 <nop,nop,timestamp 491127030 33990874> (DF)
11:05:00.683917 10.0.0.22.30901 > 217.110.232.12.https: F 1:1(0) ack 1 win 5840 <nop,nop,timestamp 491127046 33990776> (DF)
11:05:00.684375 10.0.0.22.30877 > 217.110.232.12.https: F 1:1(0) ack 1 win 5840 <nop,nop,timestamp 491127046 33990662> (DF)
11:05:00.684557 10.0.0.22.30534 > 217.110.232.12.https: F 1271438639:1271438639(0) ack 1486185834 win 5840 <nop,nop,timestamp 491127046 33988090> (DF)

IE DoSes your server. In this case inadvertently but still,
you have to take measures.
You probably should configure squid/Domino to limit number
of TCP connections from one IP, total number of open
connections and/or limit max connection lifetime.

-- 
vda

Received on Mon Feb 09 2004 - 05:41:34 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST