[squid-users] Squid transparent not caching apt requests from deb.debian.org
Matus UHLAR - fantomas
uhlar at fantomas.sk
Wed Apr 8 17:13:39 UTC 2020
>>On 4/7/20 8:48 PM, zrm wrote:
>On 4/8/20 10:46, Alex Rousskov wrote:
>>I found the reason for the difference.
>>After the destination IP address of your apt requests fails Host header
>>validation, Squid marks the request as "not cachable":
On 08.04.20 13:01, zrm wrote:
>I checked the DNS query apt is making to see why it's different. It's
>making a SRV query for _http._tcp.deb.debian.org and then using the IP
>address of the name (prod.debian.map.fastly.net) returned in the SRV
>query. By contrast, squid does the A record query for deb.debian.org
>and gets a CNAME for debian.map.fastly.net. Almost the same, but since
>it's a CDN with many IP addresses, enough different that they happen
>to not both return the same address and then validation fails.
>Meanwhile wget does the same A record query as squid and gets the same
>The question then becomes what to do about it. Maybe if squid fails
>the validation for the A query, it should try the SRV query and accept
>the address as valid if it matches that. Another possibility would be
>a config option to have squid completely ignore the address the client
>used and always use the address it gets by doing its own DNS query for
>the host, in which case the result would be safe to cache.
>But these are obviously changes requiring a new version of squid. Is
>there any way to make it work without that?
I'd contact debian.org DNS masters. I believe CDN wasn't designedto cause this
kind of issues.
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
More information about the squid-users