[squid-users] ephemeral port selection
Marc
gaardiolor at gmail.com
Tue May 7 15:37:18 UTC 2019
Dear all,
We're considering running squid for thousands of users. Squid will use
a single parent proxy IP address. A lot of connections will go from
the Child squid to the Parent proxy. Often, the Parent proxy initiates
closing the TCP connecting by sending the first FIN. This results the
connection going to TIME_WAIT at the Parent proxy, but not at the
Child squid proxy, as per RFC. This means, from the perspective of the
Child squid proxy, it's perfectly legal to re-use the same sourceport
immediately. Or, at least, before the TIME_WAIT of the Parent Proxy
(and the Firewalls in between) expires.
This will result in timeouts / slowness. Not very often, since we can
configure an ephemeral port range 1025-65535 = 64511 available ports,
but it does happen occasionaly considering the large amount of
connections we have from the Child squid proxy to the Parent proxy.
This is not a theoretical exercise, we have seen this in the past.
Currently, using other proxy servers, we overcome this issue by
disabling TCP Ephemeral Port Randomization. This mitigates this issue
entirely, since not all 64511 ports are used within the TIME_WAIT
timeout. Security impact is low since it's local traffic.
I think squid relies on the OS to select the ephemeral source port,
and in linux I can see no way to disable this. Is it possible to
disable ephemeral port randomization within squid ? If it is
impossible, can this be considered as a new feature ?
Thanks!
More information about the squid-users
mailing list