[squid-dev] Securtiy_file_gen in a server format development

Alex Rousskov rousskov at measurement-factory.com
Sun Dec 30 17:07:39 UTC 2018


On 12/29/18 11:45 PM, Eliezer Croitoru wrote:

> From what I understood until now it seems that the current ssl_db
> directory structure is simple enough that it might be possible to share
> it across a NFS store.

I would expect NFS store to work in environments that support file
locking over NFS. For example, NFS flock(2) does not work with Linux
kernels up to v2.6.11. For the list of environment-specific file locking
system calls used by the certificate generator, see Ssl::Lock::lock().


> Since squid is being used in couple locations as a security software it
> would be good for security admins to be able to have some history logs.

The generated certificate database is just an optimization/cache.
Logging certificate cache operations would probably be as useful/useless
as store.log is for the HTTP cache. It would be good to discuss and
target some specific use cases before designing where and how to log
certificate operations.

Alex.



More information about the squid-dev mailing list