[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Re: Comm::TcpAcceptor::doAccept fd limit handling is broken
From:       Rainer Weikusat <rweikusat () mobileactivedefense ! com>
Date:       2014-07-18 22:15:32
Message-ID: 87wqbamhyz.fsf () sable ! mobileactivedefense ! com
[Download RAW message or body]

Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:

[...]

> It is possible to hit the 'fd limit'
> bug (with a single client) by running squid with a tight file descriptor
> limit (eg, 64) and trying hard enough. In order to make for easier
> debugging, I changed the TcpAcceptor/ AcceptLimiter code to act as if
> only a single file descriptor was available for client connections

There's actually a 2nd way to hit this easily but I didn't want to
mention that until I had a fix for that in my tree[*]: Configure a port
for 'server first' SSL interception and make a direct connection to
that. This will cause the proxy to connect to itself in order to peek at
the server certificate [until out of memory, goto start of the sentence].

[*] That's based on maintaining a hashed database of the local addresses
of all outgoing connections and rejecting incoming connections from any
of these addresses. This may not be the smarted way to deal with this
situation but it works. But it's written in C as I generally use C for
all additions I have to make to 'our squid'.
[prev in list] [next in list] [prev in thread] [next in thread]