[squid-users] Refresh ACL list only
Marcus Kool
marcus.kool at urlfilterdb.com
Tue Mar 17 19:53:28 UTC 2015
On 03/17/2015 04:32 PM, Brendan Kearney wrote:
> On Tue, 2015-03-17 at 16:13 -0300, Marcus Kool wrote:
>> it has a configuration option to respond with
>> 'allow all' during a reconfiguration.
>
> a Fail-Open policy can be a security gap, and should be considered
> carefully before implementing. the intention of the whitelisted URLs is
> to prevent access to content that is otherwise forbidden. failing open,
> even briefly, undermines that control. what is the default setting
> there?
The default is 'allow all' and can be changed into 'deny all'.
Neither is perfect.
Another related parameter is url-lookup-delay-during-database-reload
which, if set, artificially gives a slow response which significantly
reduces the number of URL queries in the reconfiguration interval.
One can also do the haproxy failover scenario with ufdbguard.
1 load balance using squid1 and squid2
2 load balancer: use squid1 only for new connections and wait 2 seconds
3 ufdbguard2/squid2: ufdbguardd reload and wait 10 seconds
4 load balancer: use squid2 only for new connections and wait 2 seconds
5 ufdbguard1/squid1: ufdbguardd reload and wait 10 seconds
6 load balance using squid1 and squid2
in state 2 existing connections on squid2 are left alone and no new requests come in so it is safe to reconfigure ufdbguard
same for state 4
Marcus
More information about the squid-users
mailing list