[squid-users] Internet Browsing very slow after implementing Squid peek & splice + Access log not tracing full URL

Amos Jeffries squid3 at treenet.co.nz
Wed May 18 17:27:53 UTC 2016 

On 19/05/2016 2:21 a.m., Garri Djavadyan wrote:
> On Thu, 2016-05-19 at 00:39 +1200, Amos Jeffries wrote:
>> Using ignore-private and ignore-must-revalidate on the same
>> refresh_pattern is *extremely* dangerous. Just asking to get your
>> cache pwned.
> 
> I'm also using the both options on the same refresh_pattern for several
> years. Can you explain the consequences? I couldn't find enough
> information in Squid's reference and RFC2616. Thanks in advance!
> 

The 'private' cache-control is supposed to only be used when the
response contains sensitive credentials or private data.

ignore-private has a long history of causing (not allowing. *causing*)
people to login to other peoples accounts on various services. One might
have heard about the recent Steam account login having "an issue with
our proxy settings". I'd bet a lot it was somebody turing on
"ignore-private" or the equivalent in their systems.

With the HTTP/1.1 changes I made it tell Squid to treat 'private' the
same as 'must-revalidate', so that private stuff could still be forced
to cache but much more safely.

Ignoring both brings back all the security and privacy breach problems.

One should not be afraid of revalidation. It is the backbone of most of
the mechanisms that make HTTP/1.1 more performant than 1.0.

So IMO, stay away from ignore-private like it was plague. If you really
have a reason to use it. At least dont use ignore-revalidate on the same
traffic.

(I've similar advice for ignore-no-store. But at least no-store does not
have the same security/privacy/credentials tie-in as private.)

> 
>> Also ignore-auth makes things *not* be cacheable in all the auth
>> related cases when it would normally be stored by Squid.
> 
> I always thought that the purpose of the option is exact opposite.
> Squid's reference any trivial test confirmed my thoughts. Sorry, but
> maybe I understood the quote incorrectly?
> 

It tells Squid to ignore the auth headers in a request.

In HTTP/1.0 messages the presence of auth meant the object was
non-cacheable due to sensitive credentials. So the control let people
make that traffic cache.

In HTTP/1.1 messages the presence of auth is often equivalent to
must-revalidate. So ignoring the headers makes the alternative controls
in the headers kick in and force non-caching. The opposite of what is
usually intended.


(FYI: both ignore-auth and ignore-must-revalidate are gone in Squid-4.
For the above reasons.)

Amos

More information about the squid-users mailing list