Re: [squid-users] D from Lo�c BLOT on 2013-04-19 (squid-users)

From: Lo�c BLOT <loic.blot_at_unix-experience.fr>
Date: Fri, 19 Apr 2013 18:56:21 +0200

Here i have'nt any error in my cache.log
I think squid must warn when he tries to apply a second http_port
directive on a already configured port (a little map like std::map
squid_tcp_modes with squid_tcp_modes[3128] = 0/1/2 (normal, transparent,
intercept could resolve the problem by registering current loaded
http_port directives) Then the configuration mistake cannot be possible.

For the DoS problem when i use http_port 3128 transparent only, it's
right that squid is started and all his child but he refuses all
connections.

-- 
Best regards,
Loïc BLOT, 
UNIX systems, security and network expert
http://www.unix-experience.fr
Le vendredi 19 avril 2013 à 10:15 -0600, Alex Rousskov a écrit :
> On 04/19/2013 09:10 AM, Amos Jeffries wrote:
> 
> >> * Squid must refuse configuration when same http_ports are declared with
> >> different modes
> 
> > You wish your live production server to cease service completely [...]
> > if you make a small configuration mistake?
> 
> Many admins do, and rightfully so: Squid cannot determine whether wrong
> http_ports are a "small" mistake or a "huge" one. Or, from a different
> angle, whether not serving traffic correctly is better than not serving
> traffic at all.
> 
> Besides, at the time the admin runs "squid" or "service start squid",
> that Squid instance is not providing any service so the "cease service"
> argument above can only be applied to REconfiguration. At
> reconfiguration time, the right action upon detecting a problem is
> probably to do nothing (rather than ignore the problem in one area and
> reconfigure the rest of Squid as if all areas are independent). Today,
> Squid cannot validate configurations without applying them, but that
> should be the goal IMHO.
> 
> 
> Errors in cache.log are useful for determining the cause of startup
> failure. They are not very useful for _detecting_ a problem if Squid
> seems to start OK because, in part, few admins look at cache.log after
> what looks like a successful start ("service squid start" may not show
> the log) and, in part, because our cache.log is often too noisy for a
> casual observer to see useful information.
> 
> 
> $0.02,
> 
> Alex.
>

application/pgp-signature attachment: This is a digitally signed message part

Received on Fri Apr 19 2013 - 16:51:05 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 19 2013 - 12:00:06 MDT