Hi Squid community,
we provide a Linux router with a sandwich setup using squid 3 and
dansguardian for german schools. The configuration of ACL's is
configured in a Windows ADS server and can be dynamically
reconfigured with a management application. When a teacher for
example configures to allow access to the internet with black
listing some sites, the management application connects to the
Linux router via secure shell and executes "/etc/init.d/squid3
reload" to make the changes an effect.
This worked fine for a long time with windows xp clients and
internet explorer 7/8 using NTLM authentication.
But nowadays Mozilla Firefox, Safari, Internet Explorer 9/10 and
Chrome is getting more in use. The first problem is that the static configuration
of 5 ntlm authentication helpers is a bit too small. Most of the
browsers trying to open 7-10 connections to the proxy in parallel
while surfing just one website. This kills squid with the too many
authentications error.
To fix this problem I updated the Linux router software
(Debian/Knoppix derivate) to use Squid 3.4.x which dynamically
starts more ntlm auth helpers when needed. This worked fine in our
tests.
Now comes the second problem, when the teacher reconfigures the
proxy to close the allowed connections for one class, all opened
connections are still alive. I think the reason is that we use
the default persistent connections for server and client.
When we disable it, the access to the internet is directly closed,
but the entire performance of the proxy seems to be bad.
And it is no solution for any connections, which using SPDY.
What do you think? What might be a solution to this problem?
I can't restart squid when changing the ACL rules, because then
all users in the network would be disconnected.
I am out of ideas, any help is really appreciated.
best regards
Waldemar Brodkorb
Received on Fri Apr 04 2014 - 19:45:03 MDT
This archive was generated by hypermail 2.2.0 : Sat Apr 05 2014 - 12:00:03 MDT