[squid-users] a strange problem ( ORIGINAL_DST( can't be cache ) HIER_DIRECT ( can be cache )

Amos Jeffries squid3 at treenet.co.nz
Mon Apr 11 06:40:28 UTC 2016

On 11/04/2016 4:34 p.m., johnzeng wrote:
> Hello Dear Sir :
> i am trying to imporve hit ration for cache pic file now , but i found a
> strange problem .
> When i access the pic url via firefox browser , i found the content
> can't be cache .( http_port 8080 tproxy at bridge mode )
> and some helpful info is ORIGINAL_DST/ at access.log

ORIGINAL_DST means that interception is being used and that NAT system
was used to find the server.

> When i access the pic url via firefox wget , i found the content can be
> cache .
> wget -e "http_proxy=http://localhost:8081" -e robots=off
> --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:
> Gecko/2008092416 Firefox/3.0.3" -r -p -nd -np -H --level=2 --tries=1
> --limit-rate=500k
> http://d.ifengimg.com/w670_h326/y2.ifengimg.com/a/2016_16/93353429f03c891_size198_w670_h326.jpg
> ( http_port 8081 via bridge self-host )
> and some helpful info is - HIER_DIRECT/

DIRECT means regular forward-proxy is happening, and that DNS system was
used to find the server.

> if possible , please give me some advisement , thanks .

When NAT intercept or TPROXY are involved Squid has additional security
checks that have to be applied. Host header verification / forgery
detection is the most noticed one.

If Squid determines that the client is in fact *not* going to the server
mentioned in the Host header it will let the transaction happen to that
ORIGINAL_DST but cannot cache it.

Some things you can do to minimize the false verify results are detailed
in <http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>. Due to
how some popular CDN operate we cannot completely eliminate the false
results, best we can do is let it through with disabled caching.


More information about the squid-users mailing list