[squid-dev] [PATCH] Reuse reserved Negotiate and NTLM helpers after an idle timeout.
Amos Jeffries
squid3 at treenet.co.nz
Thu Jul 27 05:06:42 UTC 2017
On 26/07/17 21:37, Christos Tsantilas wrote:
> Squid can be killed or maimed by enough clients that start multi-step
> connection authentication but never follow up with the second HTTP
> request while keeping their HTTP connection open. Affected helpers
> remain in the "reserved" state and cannot be reused for other clients.
> Observed helper exhaustion has happened without any malicious intent.
>
> To address the problem, we add a helper reservation timeout. Timed out
> reserved helpers may be reused by new clients/connections. To minimize
> problems with slow-to-resume-authentication clients, timed out reserved
> helpers are not reused until there are no unreserved running helpers
> left. The reservations are tracked using unique integer IDs.
>
> Also fixed Squid crashes caused by unexpected helper termination -- the
> raw UserRequest::authserver pointer could point to a deleted helper.
>
> This is a Measurement Factory project.
Er, I see no attachment.
Can you do this as a PR now? it will need someone to do that to get it
committed nowdays.
Amos
More information about the squid-dev
mailing list