Re: [squid-users] what are the Pros and cons filtering urls using squid.conf?

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Mon, 10 Jun 2013 10:43:48 -0300

> Actually, I proposed two solutions. While the bash script is messy I
> will admit, the optimal solution of having a parent and child proxy is
> rather elegant, fault tolerant, and works without issue.
>
> The child proxy simply ignores and bypasses the parent proxy while the
> reload procedure is underway, and resumes passing traffic through it
> when it is ready to serve requests. You should try it.

I fail to see that the proposed temporary-redirect-to-other-squid-server
works and is cost effective (solution 1).

Does it work?
- what about the CONNECT tunnels ? no, they break
- what about the persistent HTTP connections ? no, they break
- changing iptables rules is error prone since there is a split second where the rules are removed.

Is it cost effective?
- a secondary Squid server has an estimated cost between USD 2,000 and USD 10,000. The zero-cost alternative is using ufdbGuard.

About solution 2:
Consider the following scenario:
Suppose the parent proxy configuration must be reloaded.
What mechanism will be used to signal the child proxy to ignore the parent?
- reload its configuration? No, reconfiguration of the client stops all traffic.
- simply let the connection to the parent fail? this will lead to timeouts and everything in progress fails.
- use more than 1 parent? can be done but is no cost effective since one needs an extra Squid server and still everything in progress fails.
If I am missing something, please explain how the child ignores the parent without interruption of service.

Marcus

> -
> Signed,
>
> Fix Nichols
>
> http://www.squidblacklist.org
>
>
Received on Mon Jun 10 2013 - 13:43:56 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 10 2013 - 12:00:11 MDT