On Monday 09 February 2004 13:15, Rainer Traut wrote:This might be by accident, but SSL_RESUMABLE_SESSIONS is 50.
I see ~50 connections open from squid to domino, all of them are being closed when you close IE.
Yes, that's right, same count.Since I do not see tcpdump between IE and squid, I can only guess that IE, too, kept ~50 open connections to squid. You can verify this with tcpdump and/or by viewing squid access log.
I will try this.Why IE don't do it when you go direct? I don't know. You may do detailed tcpdumps and try to spot differences between direct/cached cases.
BTW. Is your squid transparent?No.
Security. From what I learned is to deny direct tcp connections to the internet. I can go direct in this case but that is an exception.BTW#2. Why do you proxy https traffic at all? What are you trying to achieve?
Besides it's easy to implement squid's acl.
I know you are very kind and are trying to help me, thx very much for this. But this cannot be a solution. There is something fundamentally wrong. I can take down one server with just one client -easily-.IE DoSes your server. In this case inadvertently but still, you have to take measures. You probably should configure squid/Domino to limit number of TCP connections from one IP, total number of open connections and/or limit max connection lifetime.
Wild guess here: Might it has sth to do with
IE's ssl_unclean_shutdown I am reading everywhere?
Perhaps Domino shuts down the SSL connections right when IE is direct connected but fails with proxy?
Rainer
