Re: [squid-users] Massive problems with https connections to Domino

vda wrote:
> On Monday 09 February 2004 13:15, Rainer Traut wrote:
>
> I see ~50 connections open from squid to domino,
> all of them are being closed when you close IE.
This might be by accident, but SSL_RESUMABLE_SESSIONS is 50.

> Since I do not see tcpdump between IE and squid,
> I can only guess that IE, too, kept ~50 open
> connections to squid. You can verify this with
> tcpdump and/or by viewing squid access log.
Yes, that's right, same count.

> Why IE don't do it when you go direct? I don't know.
> You may do detailed tcpdumps and try to spot differences
> between direct/cached cases.
I will try this.

> BTW. Is your squid transparent?
No.

> BTW#2. Why do you proxy https traffic at all?
> What are you trying to achieve?
Security. From what I learned is to deny direct tcp connections to the
internet. I can go direct in this case but that is an exception.
Besides it's easy to implement squid's acl.

> IE DoSes your server. In this case inadvertently but still,
> you have to take measures.
> You probably should configure squid/Domino to limit number
> of TCP connections from one IP, total number of open
> connections and/or limit max connection lifetime.
I know you are very kind and are trying to help me, thx very much for
this. But this cannot be a solution. There is something fundamentally
wrong. I can take down one server with just one client -easily-.

Wild guess here: Might it has sth to do with
IE's ssl_unclean_shutdown I am reading everywhere?
Perhaps Domino shuts down the SSL connections right when IE is direct
connected but fails with proxy?

Rainer