RE: [squid-users] how to dynamically reconfigure squid?

Hi Waldemar,

Offload filtering to external ICAP server that can be dynamically (re)configured to allow/block based on users authentication/IPs?
In that case teacher adjusted the ICAP server's config, leaving Squid's configuration intact. New requests through the same connections are blocked after "switch".

Raf

-----Original Message-----
From: Waldemar Brodkorb [mailto:mail_at_waldemar-brodkorb.de]
Sent: Friday, April 04, 2014 9:45 PM
To: squid-users_at_squid-cache.org
Subject: [squid-users] how to dynamically reconfigure squid?

Hi Squid community,

we provide a Linux router with a sandwich setup using squid 3 and dansguardian for german schools. The configuration of ACL's is configured in a Windows ADS server and can be dynamically reconfigured with a management application. When a teacher for example configures to allow access to the internet with black listing some sites, the management application connects to the Linux router via secure shell and executes "/etc/init.d/squid3 reload" to make the changes an effect.

This worked fine for a long time with windows xp clients and internet explorer 7/8 using NTLM authentication.

But nowadays Mozilla Firefox, Safari, Internet Explorer 9/10 and Chrome is getting more in use. The first problem is that the static configuration of 5 ntlm authentication helpers is a bit too small. Most of the browsers trying to open 7-10 connections to the proxy in parallel while surfing just one website. This kills squid with the too many authentications error.

To fix this problem I updated the Linux router software (Debian/Knoppix derivate) to use Squid 3.4.x which dynamically starts more ntlm auth helpers when needed. This worked fine in our tests.

Now comes the second problem, when the teacher reconfigures the proxy to close the allowed connections for one class, all opened connections are still alive. I think the reason is that we use the default persistent connections for server and client.

When we disable it, the access to the internet is directly closed, but the entire performance of the proxy seems to be bad.

And it is no solution for any connections, which using SPDY.

What do you think? What might be a solution to this problem?
I can't restart squid when changing the ACL rules, because then all users in the network would be disconnected.

I am out of ideas, any help is really appreciated.

best regards
        Waldemar Brodkorb
Received on Fri Apr 04 2014 - 21:55:23 MDT