On 5/04/2014 10:55 a.m., Rafael Akchurin wrote:
> Hi Waldemar,
>
> Offload filtering to external ICAP server that can be dynamically
> (re)configured to allow/block based on users authentication/IPs? In
> that case teacher adjusted the ICAP server's config, leaving Squid's
> configuration intact. New requests through the same connections are
> blocked after "switch".
>
The same thing applies to Squid with a reconfigure. All *new* requests
are blocked but existing ones are completed.
> Raf
>
> -----Original Message-----
> From: Waldemar Brodkorb
>
> Hi Squid community,
>
> we provide a Linux router with a sandwich setup using squid 3 and
> dansguardian for german schools. The configuration of ACL's is
> configured in a Windows ADS server and can be dynamically
> reconfigured with a management application. When a teacher for
> example configures to allow access to the internet with black listing
> some sites, the management application connects to the Linux router
> via secure shell and executes "/etc/init.d/squid3 reload" to make the
> changes an effect.
>
> This worked fine for a long time with windows xp clients and internet
> explorer 7/8 using NTLM authentication.
>
> But nowadays Mozilla Firefox, Safari, Internet Explorer 9/10 and
> Chrome is getting more in use. The first problem is that the static
> configuration of 5 ntlm authentication helpers is a bit too small.
> Most of the browsers trying to open 7-10 connections to the proxy in
> parallel while surfing just one website. This kills squid with the
> too many authentications error.
>
> To fix this problem I updated the Linux router software
> (Debian/Knoppix derivate) to use Squid 3.4.x which dynamically starts
> more ntlm auth helpers when needed. This worked fine in our tests.
>
> Now comes the second problem, when the teacher reconfigures the proxy
> to close the allowed connections for one class, all opened
> connections are still alive. I think the reason is that we use the
> default persistent connections for server and client.
>
> When we disable it, the access to the internet is directly closed,
> but the entire performance of the proxy seems to be bad.
>
> And it is no solution for any connections, which using SPDY.
>
HTTPS and SPDY is becoming more of a problem since popular websites are
moving to use it and CONNECT tunnels wrap the entire session in HTTP as
a single request.
> What do you think? What might be a solution to this problem? I can't
> restart squid when changing the ACL rules, because then all users in
> the network would be disconnected.
You could set the request_timeout to be short. This would make the
CONNECT requests terminate after a few minutes.
You could also use SSL-bump feature in Squid. This has a double benefit
of allowing the control software acting on the HTTPS requests and
preventing SPDY etc. being used by the browser.
Amos
Received on Sat Apr 05 2014 - 04:30:35 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 09 2014 - 12:00:05 MDT