[squid-users] refresh_pattern and same objects

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 21 16:32:52 UTC 2015

On 21/08/2015 11:39 p.m., FredB wrote:
> Hi all,
> I think I misunderstand something but why refresh pattern is not useless ?
> I mean the objects are supposed to be delivered with instructions from the web server, lifetime, creation time, etc 

Well, we like it when they do. Since that makes things easy and
predictable. Especially for the third-party debugging. But no they are
not actually required to.

Still the HTTP freshness algorithm does have a certain fixed set of
parameters that are needed to caculate freshness for every response object.

In the absence of header values from the server the refresh_pattern
whose regex matches the URL provides the default values for the
parameters min/max-storage-time and lifetime-expectency-percent.

> I thought, and it seem I'm wrong ?, that squid check the HTTP header when the object seems expired (HEAD request), if yes the object should be refreshed, or not, when is life is ended ?

Sending a HEAD request would use an RTT of latency, plus server CPU
cycles just to figure out if another fetch was needed.

HTTP/1.0 has to work that way because it has no revalidation mechanism.

HTTP/1.1 revaidation collapses all that cost down into one with a
conditional-GET request (aka, IMS or INM). Which either updates just
headers, or headers+payload in one go.

Still, by not sending explicit values the server is offering cache admin
the privilege of deciding for themselves what type of storage profile to
use. refresh_pattern is the squid.conf mechanism for doing that.

> Force a long refresh pattern is not dangerous ? For example with some security files. 

HTTP specs permit up to 68 years storage for any given item. That is
imposed only by a need for age values to fit within a 32-bit integer.

Objects with security sentitive details MUST be labelled appropriately
as Expires:-1 and Cache-Control: private, no-store, no-transform -
whichever applies to that objects data.

Caches MUST obey those controls.

 "MUST" being the spec emphasis and meaning for mandatory requirement.

And the key reason why I go on so much about not using the override-*
and ignore-* options on refresh_pattern. Or at least targetting those
patterns VERY specifically at sites that are so broken there is no
choice. Every time they are used on an object it "breaks the Internet"
for someone, usually the admins own users/customers.


More information about the squid-users mailing list