Re: APT do not work with Squid as a proxy because of pipelining default

To: debian-devel@lists.debian.org
Subject: Re: APT do not work with Squid as a proxy because of pipelining default
From: Philipp Kern <trash@philkern.de>
Date: Wed, 19 May 2010 16:22:42 +0000 (UTC)
Message-id: <[🔎] slrnhv842i.j97.trash@kelgar.0x539.de>
Reply-to: phil@philkern.de
References: <eL13Q-1VN-1@gated-at.bofh.it> <eL2CC-4ij-15@gated-at.bofh.it> <eLgmf-7BR-11@gated-at.bofh.it> <eLiR4-2Tj-5@gated-at.bofh.it> <eLkpQ-5eC-7@gated-at.bofh.it> <[🔎] 4BF31D2E.7020209@rilynn.me.uk> <[🔎] AANLkTikdEp4HoGhNs30kc-jRYXqBa9Fmudd9-dvjFMU0@mail.gmail.com> <[🔎] 8739xnvpj2.fsf@frosties.localdomain>

On 2010-05-19, Goswin von Brederlow <goswin-v-b@web.de> wrote:
> Reading that I don't think that is really a pipelining issue. You do not
> need pipelineing for it to work. The real problem is keep-alive. The
> connection isn't destroyed after each request so you can put multiple
> requests into the stream and exploit different brokenness in different
> parsers along the way.

Those are bugs in the servers that allow that output, though.

> I think you have failed to show that pipelining is broken. What seems
> "broken" is Keep-Alive. Do you suggest we stop using Keep-Alive to
> prevent broken parsers from being exploited? Make a full 3-way handshake
> for every request?

I think we would want keep-alive with a pipeline depth of 1 (i.e. send the
new request after the old one was processed).  I'd rather think that
TCP slow start is a problem if you avoid keepalive than the full 3-way
handshake (which is annoying too).  Concurrent requests put an unreasonable
load onto the mirrors, so we should avoid that.

Kind regards,
Philipp Kern

Reply to:

Follow-Ups:
- Re: APT do not work with Squid as a proxy because of pipelining default
  - From: Goswin von Brederlow <goswin-v-b@web.de>

References:
- Re: APT do not work with Squid as a proxy because of pipelining default
  - From: Roger Lynn <Roger@rilynn.me.uk>
- Re: APT do not work with Squid as a proxy because of pipelining default
  - From: Robert Collins <robertc@robertcollins.net>
- Re: APT do not work with Squid as a proxy because of pipelining default
  - From: Goswin von Brederlow <goswin-v-b@web.de>

Prev by Date: Re: APT do not work with Squid as a proxy because of pipelining default
Next by Date: Re: SRWare Iron: Chromium without the data-mining
Previous by thread: Re: APT do not work with Squid as a proxy because of pipelining default
Next by thread: Re: APT do not work with Squid as a proxy because of pipelining default
Index(es):
- Date
- Thread