Re: [squid-users] Massive problems with https connections to Domino Server (long)

Maybe there is something wrong with the client update the client to latest
version of IE with all hotfixes, service packs etc.

Jim

Jim

                                                                                                                   
                    Rainer Traut
                    <rainer.traut@ To: vda <vda@port.imtp.ilyichevsk.odessa.ua>
                    epost.de> cc: "'squid-users@squid-cache.org'" <squid-users@squid-cache.org>,
                                          hno@squid-cache.org
                    02/09/2004 Subject: Re: [squid-users] Massive problems with https connections to
                    07:43 AM Domino Server (long)
                                                                                                                   
                                                                                                                   

vda wrote:
> On Monday 09 February 2004 13:15, Rainer Traut wrote:
>
> I see ~50 connections open from squid to domino,
> all of them are being closed when you close IE.
This might be by accident, but SSL_RESUMABLE_SESSIONS is 50.

> Since I do not see tcpdump between IE and squid,
> I can only guess that IE, too, kept ~50 open
> connections to squid. You can verify this with
> tcpdump and/or by viewing squid access log.
Yes, that's right, same count.

> Why IE don't do it when you go direct? I don't know.
> You may do detailed tcpdumps and try to spot differences
> between direct/cached cases.
I will try this.

> BTW. Is your squid transparent?
No.

> BTW#2. Why do you proxy https traffic at all?
> What are you trying to achieve?
Security. From what I learned is to deny direct tcp connections to the
internet. I can go direct in this case but that is an exception.
Besides it's easy to implement squid's acl.

> IE DoSes your server. In this case inadvertently but still,
> you have to take measures.
> You probably should configure squid/Domino to limit number
> of TCP connections from one IP, total number of open
> connections and/or limit max connection lifetime.
I know you are very kind and are trying to help me, thx very much for
this. But this cannot be a solution. There is something fundamentally
wrong. I can take down one server with just one client -easily-.

Wild guess here: Might it has sth to do with
IE's ssl_unclean_shutdown I am reading everywhere?
Perhaps Domino shuts down the SSL connections right when IE is direct
connected but fails with proxy?

Rainer
Received on Mon Feb 09 2004 - 09:12:34 MST