[squid-users] Why does this proxy configuration ignore no-cache and no-store?

Brett brett.anderson.ftw at gmail.com
Thu Sep 27 23:04:16 UTC 2018 

I'm having some trouble because my 4.0.24-VCS squid proxy is caching requests
that it shouldn't be, breaking the website I'm routing through it.

>From the HAR output of the client using the proxy:

Response Headers
Cache-Control	
     no-cache;no-store
Content-Encoding	
     gzip
Content-Type	
     text/html;charset=utf-8
Date	
    Thu, 27 Sep 2018 22:27:17 GMT
Pragma	
    no-cache
Server	
    pache-Coyote/1.1
Vary	
    Accept-Encoding
Age	
    24
Warning	
    110 squid/4.0.24-VCS "Response is stale"
X-Cache	
    HIT from proxy
Via	
    1.1 proxy (squid/4.0.24-VCS)
Connection	
    keep-alive


Note the no-cache;no-store Cache Control headers and then the proxy
returning the result from the cache, and it's awareness of not following
HTTP rules, i.e. "Response is stale"

This would indicate that my configuration is telling the proxy to ignore
these rules. I do have some rules setup for images etc that do override
cache control, but not for html, text etc, which this request was for.
Following is my configuration:

http_port 3128 ssl-bump \
  cert=/apps/server_crt.pem key=/apps/server_key.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /apps/squid/libexec/security_file_certgen -s
/apps/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
coredump_dir /apps/squid/var/cache
maximum_object_size 10 GB
cache_dir ufs /apps/squid/var/cache/squid 100 16 256
cache_mem 1024 MB
maximum_object_size_in_memory 512 KB
cache_replacement_policy heap LFUDA
range_offset_limit -1
quick_abort_min -1 KB
offline_mode on
http_access allow localnet
http_access allow localhost
http_access deny all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico|woff|woff2)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(css|js)$ 1440 40% 40320

I've also tried deleting all of the refresh_pattern statements and I still
get the same outcome. What am I doing wrong?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list