Web browsing with content filtering on in 5.014 is noticeably degraded. Tried with AV on and off with no effect. Disabled content filtering and performance is back.
plz let me take a few minutes to explain the problems we expierienced within the HTTP proxy lately, it might look that astaro is not producing quality updates anymore, but it aint that simple.
durint the last weeks we had more and more support calls that a) https based login pages are not working b) sometimes the http proxy stops working completly
after search for a couple of days we found the problem.
a) Internet Explorer seems to have a broken SSL client which, is very picky if we disconnect the connection instanlty after sending the last byte or if we keep the connection for an additional second to clean up internal stuff. Even if we delivered the full content, IE only displayed a blank page, this happend mostly at HTTPS-Login pages.
This was one of the most tricky problems i know of, but we finally worked around this IE problem which also is against the standard.. Mozilla, Firebird and other browsers always worked fine.
b) for an unknown reason the proxy stops working. During all our automated tests and also in all manual testing, we never found such a behavior. After nailing it down we finally found the problem.
Our HTTP-Proxy has 50 working threads which do all the HTTP proxy handling. Normally a standard HTTP request take only a part of second to be processed, therefore in most of the cases this is enough. In the log files we found several URLs which pointed to sites that caused the problem. Those sites had two interesting functionalityes.
1) a chat window, this is a page where always new entries are added from other chatters. This is a dynamically gernerated page that does not send its content-length and always keep the connection open to send new chat lines into this window. This connection never closes.
2) a brocken redirect script, that disconnects the connection without sending data.
in both cases the according thread waited to either get data or a closed connection. now if all 50 threads are occupied with such work, no other traffic can go through and the proxy seems to be dead.
Both 1) and 2) are again not standard conform. Now we learned the lesson the we can not trust official standards on the internet, as everybody has its own interpretation of it.
In order to fix 1) we needed to add a mechanism that periodically checks if a certain thread is inactive and older than the configured timeout. The mechanism was a little bit too aggressive, it consumed to much performance on certain pages that gotten dynamically generated.
Our automated testing suite didn't found this issue as until now we only used static content which was not affected by this issue.
This issue has been fixed today and released through an up2date.
We additionally doubled the performance on installations were only Cobion Surf protection is used and no Virus Protection for Web.
I personally consider the http proxy inside 5.015 as stable, there are no known issues other than minor performance issues in high load enviroment which we are currently working on.
I hope this explains the complexity of this functionality and gives you more confidence that we know produce good quality.
if you have any questions, plz don't hesitate to ask
