[squid-users] Optimezed???

Jorgeley Junior jorgeley at gmail.com
Thu Sep 24 19:32:56 UTC 2015


So, if my traffic are more https than http there's no need to use squid.
Man, most of sites are https, what's the purpose of using squid?

2015-09-24 16:13 GMT-03:00 Yuri Voinov <yvoinov at gmail.com>:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> First. This is potentially dangerous. Can you guarantee your proxy never
> has physical/network access by intruders? HTTPS can contain sensitive data.
> You really sure you want problems with users? AS a minimum you need protect
> your proxy at level B2 (by Orange Book).
>
> Second. Yes, it dangerous, but possible with SSL Bump. With very agressive
> cache parameters and with conjunction previous sentence. So, this is
> dangerous for many sites - for it's functionality and security, in general.
>
> You still sure you want to do this?
>
> 24.09.15 20:46, Jorgeley Junior пишет:
> > Can we do that to cache https?
> > http_port 3128 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/monkey.pem
> >
> > 2015-09-24 11:24 GMT-03:00 Jorgeley Junior <jorgeley at gmail.com>
> <jorgeley at gmail.com>:
> >
> >> Is it not possible to cache the https due the encryption?
> >>
> >> 2015-09-18 9:44 GMT-03:00 Antony Stone
> <Antony.Stone at squid.open.source.it> <Antony.Stone at squid.open.source.it>
> >> :
> >>
> >>> On Friday 18 September 2015 at 14:27:42, Jorgeley Junior wrote:
> >>>
> >>>> there is a way to improve it?
> >>>
> >>> Improve what?  The percentage of your traffic which is cached, or the
> >>> accuracy
> >>> of the information reported by your monitoring system?
> >>>
> >>>
> >>> If you want to cache more content:
> >>>
> >>> 1. Make sure the sites being visited have available content (note that
> >>> 12.6%
> >>> of your requests resulted in the remote server saying some variation on
> >>> "nothing available").
> >>>
> >>> 2. Ignore things which are meaningless - such as the 27% of your
> requests
> >>> which resulted in 407 Authentication Required - that tells you nothing
> >>> about
> >>> whether the user then successfully authenticated and got what they
> >>> wanted, or
> >>> didn't, but either way it's a standard response from the server which
> >>> tells
> >>> you nothing about the effectiveness of your cache.
> >>>
> >>> 3. Make sure your traffic is HTTP instead of HTTPS.
> >>>
> >>> 4. Make sure your users are visiting the same sites repeatedly so that
> >>> content
> >>> which gets cached gets re-used.
> >>>
> >>> 5. Make sure the sites they're visiting are not setting "don't cache"
> or
> >>> "already expired" headers (such as is common for news sites, for
> example)
> >>> so
> >>> that the content is cacheable.
> >>>
> >>> 6. Run your cache for long enough that it's likely to have a
> >>> representative
> >>> proportion of what the users are asking for when you start measuring
> its
> >>> effectiveness - if you start from an empty cache and pass requests
> >>> through it,
> >>> it's going to take some time for the content to build up so that you
> see
> >>> some
> >>> hits.
> >>>
> >>>
> >>> If you want to improve the information you're getting from the
> monitoring
> >>> system, make sure it's telling you how much was cached as a proportion
> of
> >>> requests which could have been cached - in other words, leave out HTTPS
> >>> (36%)
> >>> and 407 Auth Required (27%), plus anything where the remote server had
> >>> nothing
> >>> to provide (13%), and requests where the user's browser already had a
> >>> cached
> >>> copy and didn't to request an update (4%).
> >>>
> >>> That throws out 80% of your current statistics, so you concentrate on
> the
> >>> data
> >>> about connections Squid *could* have helped with.
> >>>
> >>>> 2015-09-18 8:25 GMT-03:00 Antony Stone:
> >>>>> On Friday 18 September 2015 at 13:13:27, Jorgeley Junior wrote:
> >>>>>> hey guys, forgot-me? :(
> >>>>>
> >>>>> Surely you can see for yourself how many connections you've had of
> >>>>> different types?  Here are the most common (all those over 100
> >>> instances)
> >>>>> from your list of 5240 results
> >>>>>
> >>>>>>>     290 TAG_NONE/503
> >>>>>>>     368 TCP_DENIED/403
> >>>>>>>    1421 TCP_DENIED/407
> >>>>>>>     680 TCP_MISS/200
> >>>>>>>     192 TCP_REFRESH_UNMODIFIED/304
> >>>>>>>    1896 TCP_TUNNEL/200
> >>>>>
> >>>>> So:
> >>>>>
> >>>>> 290 (5.5%) got a 503 result (service unavailable)
> >>>>> 368 (7%) were denied by the remote server with code 403 (forbidden)
> >>>>> 1421 (27%) were deined by the remote server with code 407 (auth
> >>> required)
> >>>>> 680 (13%) were successfully retreived from the remote servers but
> were
> >>>>> not previously in your cache
> >>>>> 192 (3.6%) were already cached by your browser and didn't need to be
> >>>>> retreived
> >>>>> 1896 (36%) were successful HTTPS tunneled connections, simply being
> >>>>> forwarded
> >>>>> by the proxy
> >>>>>
> >>>>> This accounts for 4847 (92.5%) of your 5240 results.
> >>>>>
> >>>>> As you can see, just measuring HIT and MISS is not the whole picture.
> >>>>>
> >>>>>
> >>>>> Hope that helps,
> >>>>>
> >>>>>
> >>>>> Antony.
> >>>
> >>> --
> >>> "The problem with television is that the people must sit and keep their
> >>> eyes
> >>> glued on a screen; the average American family hasn't time for it."
> >>>
> >>>  - New York Times, following a demonstration at the 1939 World's Fair.
> >>>
> >>>                                                    Please reply to the
> >>> list;
> >>>                                                          please *don't*
> >>> CC me.
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> squid-users at lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users
> >>>
> >>
> >>
> >>
> >> --
> >>
> >>
> >>
> >
> >
> > --
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJWBEtiAAoJENNXIZxhPexGHWgH/Rr0iGPCyTy7R5UYI/8PSvQO
> 5oSWO3Oyr+MVQaGUecLq01CoyRlw1t5IRPoVnL8k/39xp0g2QlmLcWi50UjKexXr
> +aOYdi2wvoFyYLISR9Dx0t64RqYYzACzmYS4hSo1yPTZ25jb3AcNGpU5D3nbQmty
> Uuqomj98yo8Owz6tHnz/uEaU5AS/w4Wec+b/om3LhyiagQWa21ub42x2rqRzwNk4
> pLCrtDYGFC9Vn9VMmZCZygw7/c+1CSMPW4qDkxc6GiM55EDataPtJ7uTNL2XOMwZ
> 9Ys1XtIuvGuMpXU2CYUiWVP4KiL3WDWPfzSqPhmrrt/laVuNNM1aOUuSNLx4oGU=
> =g2rO
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150924/cee6d667/attachment.html>


More information about the squid-users mailing list