[squid-users] Optimezed???

Yuri Voinov yvoinov at gmail.com
Thu Sep 24 19:13:39 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
First. This is potentially dangerous. Can you guarantee your proxy never
has physical/network access by intruders? HTTPS can contain sensitive
data. You really sure you want problems with users? AS a minimum you
need protect your proxy at level B2 (by Orange Book).

Second. Yes, it dangerous, but possible with SSL Bump. With very
agressive cache parameters and with conjunction previous sentence. So,
this is dangerous for many sites - for it's functionality and security,
in general.

You still sure you want to do this?

24.09.15 20:46, Jorgeley Junior пишет:
> Can we do that to cache https?
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/monkey.pem
>
> 2015-09-24 11:24 GMT-03:00 Jorgeley Junior <jorgeley at gmail.com>:
>
>> Is it not possible to cache the https due the encryption?
>>
>> 2015-09-18 9:44 GMT-03:00 Antony Stone
<Antony.Stone at squid.open.source.it>
>> :
>>
>>> On Friday 18 September 2015 at 14:27:42, Jorgeley Junior wrote:
>>>
>>>> there is a way to improve it?
>>>
>>> Improve what?  The percentage of your traffic which is cached, or the
>>> accuracy
>>> of the information reported by your monitoring system?
>>>
>>>
>>> If you want to cache more content:
>>>
>>> 1. Make sure the sites being visited have available content (note that
>>> 12.6%
>>> of your requests resulted in the remote server saying some variation on
>>> "nothing available").
>>>
>>> 2. Ignore things which are meaningless - such as the 27% of your
requests
>>> which resulted in 407 Authentication Required - that tells you nothing
>>> about
>>> whether the user then successfully authenticated and got what they
>>> wanted, or
>>> didn't, but either way it's a standard response from the server which
>>> tells
>>> you nothing about the effectiveness of your cache.
>>>
>>> 3. Make sure your traffic is HTTP instead of HTTPS.
>>>
>>> 4. Make sure your users are visiting the same sites repeatedly so that
>>> content
>>> which gets cached gets re-used.
>>>
>>> 5. Make sure the sites they're visiting are not setting "don't cache" or
>>> "already expired" headers (such as is common for news sites, for
example)
>>> so
>>> that the content is cacheable.
>>>
>>> 6. Run your cache for long enough that it's likely to have a
>>> representative
>>> proportion of what the users are asking for when you start measuring its
>>> effectiveness - if you start from an empty cache and pass requests
>>> through it,
>>> it's going to take some time for the content to build up so that you see
>>> some
>>> hits.
>>>
>>>
>>> If you want to improve the information you're getting from the
monitoring
>>> system, make sure it's telling you how much was cached as a
proportion of
>>> requests which could have been cached - in other words, leave out HTTPS
>>> (36%)
>>> and 407 Auth Required (27%), plus anything where the remote server had
>>> nothing
>>> to provide (13%), and requests where the user's browser already had a
>>> cached
>>> copy and didn't to request an update (4%).
>>>
>>> That throws out 80% of your current statistics, so you concentrate
on the
>>> data
>>> about connections Squid *could* have helped with.
>>>
>>>> 2015-09-18 8:25 GMT-03:00 Antony Stone:
>>>>> On Friday 18 September 2015 at 13:13:27, Jorgeley Junior wrote:
>>>>>> hey guys, forgot-me? :(
>>>>>
>>>>> Surely you can see for yourself how many connections you've had of
>>>>> different types?  Here are the most common (all those over 100
>>> instances)
>>>>> from your list of 5240 results
>>>>>
>>>>>>>     290 TAG_NONE/503
>>>>>>>     368 TCP_DENIED/403
>>>>>>>    1421 TCP_DENIED/407
>>>>>>>     680 TCP_MISS/200
>>>>>>>     192 TCP_REFRESH_UNMODIFIED/304
>>>>>>>    1896 TCP_TUNNEL/200
>>>>>
>>>>> So:
>>>>>
>>>>> 290 (5.5%) got a 503 result (service unavailable)
>>>>> 368 (7%) were denied by the remote server with code 403 (forbidden)
>>>>> 1421 (27%) were deined by the remote server with code 407 (auth
>>> required)
>>>>> 680 (13%) were successfully retreived from the remote servers but were
>>>>> not previously in your cache
>>>>> 192 (3.6%) were already cached by your browser and didn't need to be
>>>>> retreived
>>>>> 1896 (36%) were successful HTTPS tunneled connections, simply being
>>>>> forwarded
>>>>> by the proxy
>>>>>
>>>>> This accounts for 4847 (92.5%) of your 5240 results.
>>>>>
>>>>> As you can see, just measuring HIT and MISS is not the whole picture.
>>>>>
>>>>>
>>>>> Hope that helps,
>>>>>
>>>>>
>>>>> Antony.
>>>
>>> --
>>> "The problem with television is that the people must sit and keep their
>>> eyes
>>> glued on a screen; the average American family hasn't time for it."
>>>
>>>  - New York Times, following a demonstration at the 1939 World's Fair.
>>>
>>>                                                    Please reply to the
>>> list;
>>>                                                          please *don't*
>>> CC me.
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>>
>>
>> --
>>
>>
>>
>
>
> --
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWBEtiAAoJENNXIZxhPexGHWgH/Rr0iGPCyTy7R5UYI/8PSvQO
5oSWO3Oyr+MVQaGUecLq01CoyRlw1t5IRPoVnL8k/39xp0g2QlmLcWi50UjKexXr
+aOYdi2wvoFyYLISR9Dx0t64RqYYzACzmYS4hSo1yPTZ25jb3AcNGpU5D3nbQmty
Uuqomj98yo8Owz6tHnz/uEaU5AS/w4Wec+b/om3LhyiagQWa21ub42x2rqRzwNk4
pLCrtDYGFC9Vn9VMmZCZygw7/c+1CSMPW4qDkxc6GiM55EDataPtJ7uTNL2XOMwZ
9Ys1XtIuvGuMpXU2CYUiWVP4KiL3WDWPfzSqPhmrrt/laVuNNM1aOUuSNLx4oGU=
=g2rO
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150925/02e0f07a/attachment-0001.html>


More information about the squid-users mailing list