[squid-users] Question: Force the caching of 302 responses without Expires header and with Strict-Transport-Security max-age header?

Amos Jeffries squid3 at treenet.co.nz
Sun Jan 5 01:27:58 UTC 2020

On 5/01/20 7:24 am, Andrei Pozolotin wrote:
> Amos, hello:
> On 2020-01-04 05:14, Amos Jeffries wrote:
>> Expires header is an HTTP/1.0 protocol feature. Its absence has no
>> meaning.
>> The 302 response is explicitly defined in HTTP as a *temporary* object
>> which can change at any time. The *presence* of Cache-Control:max-age or
>> Expires set a minimum time the response is guaranteed not to change.
> 1. perhaps an argument could be made that these are semantically identical:
> * Cache-Control: max-age=<expire-time>
> * Strict-Transport-Security: max-age=<expire-time>

They are not. One relates to hop-by-hop message storage. The other
relates to end-to-end connection setup.

> 2. and therefore "Strict-Transport-Security" should be handled
> by squid "Cache-Control" related features such as refresh_pattern
> http://www.squid-cache.org/Doc/config/refresh_pattern/

As Alex said Squid does nothing with Strict-Transport-Security headers.
They are for the client UA software, irrelevant to middleware like Squid.

>> Since your use-case is a software archive mirrors you should investigate
>> whether the objects stored there are truly identical. If they are, the
>> Store-ID feature can be used to de-duplicate the URLs the 302 are
>> pointing at so *they* are cached efficiently.
>>  <https://wiki.squid-cache.org/Features/StoreID>
> 3. thank you for the StoreID idea
> 4. I have already implemented it:
> https://github.com/random-python/nspawn/tree/master/src/main/nspawn/app/hatcher/service/image-proxy/etc/squid
> 5. it does improve performance, however two preceding TCP_MISS/302 hits
> for every archive url hit, do provide major contribution to the overall
> response delay

(Warning: I have not tested this idea yet, if it does not work it can
break the downloads completely. Treat with extreme care).

You may be able to improve that a little by adding the original 302 URL
to the Store-ID map. However you MUST then add a store_miss rule to
prevent those URLs being stored in the cache.

The idea being that one one of the real download objects is stored Squid
use it as a substitute for the 302. But the 302 payload can never be
used as a substitute for the real object.


More information about the squid-users mailing list