[squid-users] Caching application/octet-stream

Michael Varun michael.varun at inmobi.com
Mon Oct 3 08:38:25 UTC 2016 

There is a bug in the SSL-Bump implementation we have not sorted out
yet, which makes the "ssl-bump" on this port enable reverse-proxy mode
handling. That seems to be leading to Surrogate feature being enabled
and the Authorization:Bearer being removed when it should be relayed to
the server.


Can you refer to the BUD ID if there is one already opened  if not
should i submit one for reference ?


On Fri, Sep 30, 2016 at 1:06 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 30/09/2016 8:10 p.m., Michael Varun wrote:
> > Here is the snippet of debug logs
> > I dont get to see anything missing out there . It does a GET call to the
> > docker registry on behalf of the requesting client The registry listens
> on
> > 443 so squid mimicks  client TLS connections post which does a GET call
> to
> > the docker registry on the requested blobs
>
> Well firstly, going by your earlier config file the client is *not*
> performing TLS connections. Your proxy is configured to receive
> plain-text HTTP at port 443.
>
> You seem to have stumbled onto two bugs in Squid which are combining to
> be problematic.
>
> There is a bug in the SSL-Bump implementation we have not sorted out
> yet, which makes the "ssl-bump" on this port enable reverse-proxy mode
> handling. That seems to be leading to Surrogate feature being enabled
> and the Authorization:Bearer being removed when it should be relayed to
> the server.
>
> The existence of Authorization header on the request combined with lack
> of Cache-Control:public on the response means these reponses are private
> responses associated with that auth credentials token. They cannot be
> cached and given to anyone else.
>
> That brings up what I think may be a second bug. Since the request to
> the server was sent without Auth header then Squid should be considering
> it a non-auth response and treating it as cacheable anyway. But probably
> is just using the client request for that decision.
>
>
> You could try adding the "login=PASSTHRU" option to your cache_peer
> line. If the server sends "Cache-Control:public" that should enable
> caching.
>
> Amos
>
>

-- 
_____________________________________________________________
The information contained in this communication is intended solely for the 
use of the individual or entity to whom it is addressed and others 
authorized to receive it. It may contain confidential or legally privileged 
information. If you are not the intended recipient you are hereby notified 
that any disclosure, copying, distribution or taking any action in reliance 
on the contents of this information is strictly prohibited and may be 
unlawful. If you have received this communication in error, please notify 
us immediately by responding to this email and then delete it from your 
system. The firm is neither liable for the proper and complete transmission 
of the information contained in this communication nor for any delay in its 
receipt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161003/0d4aecde/attachment.html>

More information about the squid-users mailing list