[squid-users] Determining unique clients in Squid

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 19 15:45:52 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 20/12/2014 3:52 a.m., Veiko Kukk wrote:
> Hi,
> 
> I have been trying to understand, how does Squid determine
> different clients, but it is not clear from the documentation. I
> guess this does not depend entirely on IP address, right? Otherwise
> all clients behind NAT would be considered as single client.

It depends ...

 ... for Squids' network measurement mechanisms and client_db* do
depend on IP address alone.

 ... security contexts like TLS/SSL or connection pinning depend on
the TCP socket numbers in use.


Other concepts of "client" such as authenticated user or end-user or
remote software agent are not relevant to Squid beyond the ACLs you
configure.


> 
> Reason behind this is that I'd like to configure a forward proxy
> for (mostly) binary files caching. All requests have Authorization
> headers (API key) and come from single IP address (localhost,
> python application, not generic web browser).


*Caching* is not related to the client though. Whether an object can
be cached depends solely on the request/reply message headers.

see below...

> 
> client <https> squid ssl_bump to see inside https <https> remote
> cloud storage
> 
> http://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_are_private_and_public_keys.3F
>
>  "Private objects are associated with only a single client whereas
> a public object may be sent to multiple clients at the same time."
> 
> I wonder if it would be possible to use Squid for effectively
> cache larger objects locally with this type of configuration?
> 

Some points:

0) the document above is referring to the internal hash keys Squid
uses for indexing objects. Its describing the technical mechanism by
which Squid remembders which object is which type. Not much relevance
to your query as such.

1) Squid-3.2 and later are HTTP/1.1 compliant and able to cache
authenticated replies (and many other types of client-specific
objects) in accordance with the HTTP/1.1 rules for them.

2) client proxy-authorization credentials have no effect on
cacheability. Only credentials in www-authorization header affect
that, and only if the reply message does not make the object cacheable
by providing certain cache-control settings.

4) "HTTP" and "HTTPS" are both the same HTTP protocol. The only
difference is that one is inside a TLS channel. A lot of people seem
to think its more secure somehow, but its not really. SSL-Bumped HTTPS
requests are just as cacheable (or not) as they would be if
intercepted on port 80.

5) Size of objects is related only to the size limits you configure
into Squid. Default config is up to 4MB is cached to disks, up to
512KB to memory.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlEgwAAoJELJo5wb/XPRjCawH/1joPQ6E4bBAJglfiyT39JNO
GFZZ21Oo2ew74gyz0K99fXlOXIpz1l9IupHgayHm+R7ezfMLWen3CGfWOK6QukC/
7NpjdkqCDUxwhhJ70XeWdgrw1rMRXwBlMZUGkwrQ4mGTuBA7DsFjneEg6H9PmY7r
zJLTb8NVbQAwzVRKmq9etJHpBbMN1QmZUYHLHV7uFIUirwpD58gfgvWBdPGFKTDF
I5+RwmzDP0Lmri7dPGWJwYTUPVCdyJ848Fjhvj/gVLuaBwEjZI+CxuSANrRa8Rr5
tAQKDMY7Zp5MTO/sYOTEg8I4yavP2UCtXBh3SpT+AzBium5PlQdVIlc45yVlo5k=
=Ik7x
-----END PGP SIGNATURE-----


More information about the squid-users mailing list