[squid-users] Squid transparent not caching apt requests from deb.debian.org

zrm zrm at trustiosity.com
Wed Apr 8 17:01:25 UTC 2020

On 4/8/20 10:46, Alex Rousskov wrote:
> On 4/7/20 8:48 PM, zrm wrote:
>> https://www.trustiosity.com/squid/cache-debug.log.xz
> I found the reason for the difference.
> After the destination IP address of your apt requests fails Host header
> validation, Squid marks the request as "not cachable":

I checked the DNS query apt is making to see why it's different. It's 
making a SRV query for _http._tcp.deb.debian.org and then using the IP 
address of the name (prod.debian.map.fastly.net) returned in the SRV 
query. By contrast, squid does the A record query for deb.debian.org and 
gets a CNAME for debian.map.fastly.net. Almost the same, but since it's 
a CDN with many IP addresses, enough different that they happen to not 
both return the same address and then validation fails.

Meanwhile wget does the same A record query as squid and gets the same 

The question then becomes what to do about it. Maybe if squid fails the 
validation for the A query, it should try the SRV query and accept the 
address as valid if it matches that. Another possibility would be a 
config option to have squid completely ignore the address the client 
used and always use the address it gets by doing its own DNS query for 
the host, in which case the result would be safe to cache.

But these are obviously changes requiring a new version of squid. Is 
there any way to make it work without that?

More information about the squid-users mailing list