[squid-users] Internet Browsing very slow after implementing Squid peek & splice + Access log not tracing full URL

Thu May 19 04:12:40 UTC 2016

On Thu, 2016-05-19 at 05:27 +1200, Amos Jeffries wrote:
> On 19/05/2016 2:21 a.m., Garri Djavadyan wrote:
> > 
> > On Thu, 2016-05-19 at 00:39 +1200, Amos Jeffries wrote:
> > > 
> > > Using ignore-private and ignore-must-revalidate on the same
> > > refresh_pattern is *extremely* dangerous. Just asking to get your
> > > cache pwned.
> > I'm also using the both options on the same refresh_pattern for
> > several
> > years. Can you explain the consequences? I couldn't find enough
> > information in Squid's reference and RFC2616. Thanks in advance!
> > 
> The 'private' cache-control is supposed to only be used when the
> response contains sensitive credentials or private data.
> 
> ignore-private has a long history of causing (not allowing.
> *causing*)
> people to login to other peoples accounts on various services. One
> might
> have heard about the recent Steam account login having "an issue with
> our proxy settings". I'd bet a lot it was somebody turing on
> "ignore-private" or the equivalent in their systems.
> 
> With the HTTP/1.1 changes I made it tell Squid to treat 'private' the
> same as 'must-revalidate', so that private stuff could still be
> forced
> to cache but much more safely.
> 
> Ignoring both brings back all the security and privacy breach
> problems.
> 
> One should not be afraid of revalidation. It is the backbone of most
> of
> the mechanisms that make HTTP/1.1 more performant than 1.0.
> 
> So IMO, stay away from ignore-private like it was plague. If you
> really
> have a reason to use it. At least dont use ignore-revalidate on the
> same
> traffic.
> 
> (I've similar advice for ignore-no-store. But at least no-store does
> not
> have the same security/privacy/credentials tie-in as private.)
> 
> > 
> > 
> > > 
> > > Also ignore-auth makes things *not* be cacheable in all the auth
> > > related cases when it would normally be stored by Squid.
> > I always thought that the purpose of the option is exact opposite.
> > Squid's reference any trivial test confirmed my thoughts. Sorry,
> > but
> > maybe I understood the quote incorrectly?
> > 
> It tells Squid to ignore the auth headers in a request.
> 
> In HTTP/1.0 messages the presence of auth meant the object was
> non-cacheable due to sensitive credentials. So the control let people
> make that traffic cache.
> 
> In HTTP/1.1 messages the presence of auth is often equivalent to
> must-revalidate. So ignoring the headers makes the alternative
> controls
> in the headers kick in and force non-caching. The opposite of what is
> usually intended.
> 
> 
> (FYI: both ignore-auth and ignore-must-revalidate are gone in Squid-
> 4.
> For the above reasons.)
> 
> Amos

Amos, thank you very much for the clarification!