[squid-users] Optimezed???

Yuri Voinov yvoinov at gmail.com
Thu Sep 24 20:51:25 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Heh. The same question I've asked early.

Condolences. You can try at your own risk. But.... B1 security and your
full responsibility.

25.09.15 1:32, Jorgeley Junior пишет:
> So, if my traffic are more https than http there's no need to use squid.
> Man, most of sites are https, what's the purpose of using squid?
>
> 2015-09-24 16:13 GMT-03:00 Yuri Voinov <yvoinov at gmail.com>:
>
>>
> First. This is potentially dangerous. Can you guarantee your proxy never
> has physical/network access by intruders? HTTPS can contain sensitive
data.
> You really sure you want problems with users? AS a minimum you need
protect
> your proxy at level B2 (by Orange Book).
>
> Second. Yes, it dangerous, but possible with SSL Bump. With very agressive
> cache parameters and with conjunction previous sentence. So, this is
> dangerous for many sites - for it's functionality and security, in
general.
>
> You still sure you want to do this?
>
> 24.09.15 20:46, Jorgeley Junior пишет:
> >>> Can we do that to cache https?
> >>> http_port 3128 ssl-bump generate-host-certificates=on
> >>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/monkey.pem
> >>>
> >>> 2015-09-24 11:24 GMT-03:00 Jorgeley Junior <jorgeley at gmail.com>
> <jorgeley at gmail.com>:
> >>>
> >>>> Is it not possible to cache the https due the encryption?
> >>>>
> >>>> 2015-09-18 9:44 GMT-03:00 Antony Stone
> <Antony.Stone at squid.open.source.it> <Antony.Stone at squid.open.source.it>
> >>>> :
> >>>>
> >>>>> On Friday 18 September 2015 at 14:27:42, Jorgeley Junior wrote:
> >>>>>
> >>>>>> there is a way to improve it?
> >>>>>
> >>>>> Improve what?  The percentage of your traffic which is cached,
or the
> >>>>> accuracy
> >>>>> of the information reported by your monitoring system?
> >>>>>
> >>>>>
> >>>>> If you want to cache more content:
> >>>>>
> >>>>> 1. Make sure the sites being visited have available content
(note that
> >>>>> 12.6%
> >>>>> of your requests resulted in the remote server saying some
variation on
> >>>>> "nothing available").
> >>>>>
> >>>>> 2. Ignore things which are meaningless - such as the 27% of your
> requests
> >>>>> which resulted in 407 Authentication Required - that tells you
nothing
> >>>>> about
> >>>>> whether the user then successfully authenticated and got what they
> >>>>> wanted, or
> >>>>> didn't, but either way it's a standard response from the server
which
> >>>>> tells
> >>>>> you nothing about the effectiveness of your cache.
> >>>>>
> >>>>> 3. Make sure your traffic is HTTP instead of HTTPS.
> >>>>>
> >>>>> 4. Make sure your users are visiting the same sites repeatedly
so that
> >>>>> content
> >>>>> which gets cached gets re-used.
> >>>>>
> >>>>> 5. Make sure the sites they're visiting are not setting "don't
cache"
> or
> >>>>> "already expired" headers (such as is common for news sites, for
> example)
> >>>>> so
> >>>>> that the content is cacheable.
> >>>>>
> >>>>> 6. Run your cache for long enough that it's likely to have a
> >>>>> representative
> >>>>> proportion of what the users are asking for when you start measuring
> its
> >>>>> effectiveness - if you start from an empty cache and pass requests
> >>>>> through it,
> >>>>> it's going to take some time for the content to build up so that you
> see
> >>>>> some
> >>>>> hits.
> >>>>>
> >>>>>
> >>>>> If you want to improve the information you're getting from the
> monitoring
> >>>>> system, make sure it's telling you how much was cached as a
proportion
> of
> >>>>> requests which could have been cached - in other words, leave
out HTTPS
> >>>>> (36%)
> >>>>> and 407 Auth Required (27%), plus anything where the remote
server had
> >>>>> nothing
> >>>>> to provide (13%), and requests where the user's browser already
had a
> >>>>> cached
> >>>>> copy and didn't to request an update (4%).
> >>>>>
> >>>>> That throws out 80% of your current statistics, so you
concentrate on
> the
> >>>>> data
> >>>>> about connections Squid *could* have helped with.
> >>>>>
> >>>>>> 2015-09-18 8:25 GMT-03:00 Antony Stone:
> >>>>>>> On Friday 18 September 2015 at 13:13:27, Jorgeley Junior wrote:
> >>>>>>>> hey guys, forgot-me? :(
> >>>>>>>
> >>>>>>> Surely you can see for yourself how many connections you've had of
> >>>>>>> different types?  Here are the most common (all those over 100
> >>>>> instances)
> >>>>>>> from your list of 5240 results
> >>>>>>>
> >>>>>>>>>     290 TAG_NONE/503
> >>>>>>>>>     368 TCP_DENIED/403
> >>>>>>>>>    1421 TCP_DENIED/407
> >>>>>>>>>     680 TCP_MISS/200
> >>>>>>>>>     192 TCP_REFRESH_UNMODIFIED/304
> >>>>>>>>>    1896 TCP_TUNNEL/200
> >>>>>>>
> >>>>>>> So:
> >>>>>>>
> >>>>>>> 290 (5.5%) got a 503 result (service unavailable)
> >>>>>>> 368 (7%) were denied by the remote server with code 403
(forbidden)
> >>>>>>> 1421 (27%) were deined by the remote server with code 407 (auth
> >>>>> required)
> >>>>>>> 680 (13%) were successfully retreived from the remote servers but
> were
> >>>>>>> not previously in your cache
> >>>>>>> 192 (3.6%) were already cached by your browser and didn't need
to be
> >>>>>>> retreived
> >>>>>>> 1896 (36%) were successful HTTPS tunneled connections, simply
being
> >>>>>>> forwarded
> >>>>>>> by the proxy
> >>>>>>>
> >>>>>>> This accounts for 4847 (92.5%) of your 5240 results.
> >>>>>>>
> >>>>>>> As you can see, just measuring HIT and MISS is not the whole
picture.
> >>>>>>>
> >>>>>>>
> >>>>>>> Hope that helps,
> >>>>>>>
> >>>>>>>
> >>>>>>> Antony.
> >>>>>
> >>>>> --
> >>>>> "The problem with television is that the people must sit and
keep their
> >>>>> eyes
> >>>>> glued on a screen; the average American family hasn't time for it."
> >>>>>
> >>>>>  - New York Times, following a demonstration at the 1939 World's
Fair.
> >>>>>
> >>>>>                                                    Please reply
to the
> >>>>> list;
> >>>>>                                                          please
*don't*
> >>>>> CC me.
> >>>>> _______________________________________________
> >>>>> squid-users mailing list
> >>>>> squid-users at lists.squid-cache.org
> >>>>> http://lists.squid-cache.org/listinfo/squid-users
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> squid-users at lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users
>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
>
> --
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWBGJNAAoJENNXIZxhPexGJ1gIAKBJIiLf0OIX/sFyqGMDGUkR
gUQ1rbc3GXcqMylz8s7bH991/GfxC1cl69XqnN81rViZfPJ/uEm0PDlZg76AhCV7
7nn837cOYtOnlubN229k1d2s5IGK+sH7/gwk4aR9vymnd4rzgmtMBT3r/VB0QcMZ
x3EmFU2I+/lENmhLjiKKAXC+kVmIy2zH5q9jRgNuzTKp0fb9p6sSKd3lb/k91FZr
ZyYf87q8I4vZcJc9rsKBFWbMWNn/CxSIJkFzRcjSCviryjb2ebDPDRrCCHDWBHqK
j/fP/0naWFeSj52bEe84LdN10db9wCJsjS+7K8qz1n6znMbrJ5iZ5YGqJ4g7mhU=
=agwC
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150925/f2ffba7f/attachment-0001.html>

More information about the squid-users mailing list