[squid-users] How to prevent caching of request or configure smart handling?

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 29 01:09:07 UTC 2016


On 29/02/2016 9:46 a.m., Karl-Philipp Richter wrote:
> 
> squid.conf
> 
<sip>

> 
> acl SSL_ports port 443

<snip>
> acl git_ports port 9418         # git protocol

Combine these two by addng port 9418 into SSL_ports ACL.

> acl CONNECT method CONNECT
> 
> http_access deny !Safe_ports
> http_access allow CONNECT git_ports
> http_access deny CONNECT !SSL_ports
> http_access allow CONNECT git_ports

 ... then you can remove these duplicated "allow CONNECT git_ports" lines.

> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> 
> 
> ## Service configuration
> http_port 192.168.178.20:3128 intercept
> 
> https_port 192.168.178.20:3130 intercept ssl-bump cert=/etc/squid3/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> acl step1 at_step SslBump1
> 
> ssl_bump peek step1
> ssl_bump bump all
> 
> # sslproxy_capath /etc/ssl/certs # obsolete in 4.0.1
> 
> #sslproxy_cafile /usr/local/openssl/cabundle.file # unclear where it is in package manager installation
> 
> # insecure -> use for debugging only
> sslproxy_cert_error allow all
> # sslproxy_flags DONT_VERIFY_PEER # obsolete in 4.0.1
> 
> 
> cache_dir ufs /var/squid/cache 100 16 256
> 
> coredump_dir /var/squid/cache
> 
> #refresh_pattern ^ftp:		1440	20%	10080
> #refresh_pattern ^gopher:	1440	0%	1440
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
> refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 432000 99% 4320000
> refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|tar\.gz|txz|tar\.xz|ram|rar|bin|ppt|doc|tiff|gz|git)$ 100800 99% 432000 store-stale

You are missing the .bz2 and .xz extensions. Then you can remove the
tar.gz and tar.xz entries.

And if RAR are really that popular you will want to add  r[0-9][0-9]
extensions as well.

And stuffing a query string on the URL is also common so for all of the
file extension lines you will want to replace the "$" at the end with
this:   (\?.*)?$


Remove this line:

> refresh_pattern -i .* 100800 99% 432000 store-stale

 ... it is unsafe and clobbers the finely tuned protocol behaviour
initiated by the below defaults.

Instead adjust the pct and max values of the '.' pattern rule below
(leaving the min as 0), and add store-stale to it as well.

> refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
> refresh_pattern .		0	20%	4320
> 
> ftp_port 192.168.178.20:3129
> 
> cache_effective_user squid
> cache_effective_group squid
> 
> access_log /usr/local/squid/var/log/access.log
> cache_store_log /usr/local/squid/var/log/cache_store.log
> cache_log /usr/local/squid/var/log/cache.log

You should not need store.log. Unless you have some tool specially
needing it, you can remove the above line completely and gain a bit of
performance.

The other logs look like the default paths for Squid. If that is right
you can remove them from your config file Squid will still log there.

> 
> pid_filename /usr/local/squid/var/run/squid.pid
> 

Likewise, the .pid file location should not need to be explicit. Try
removing.

> 
> ## Cache access
> acl domain_all dstdom_regex -i .*
> cache allow domain_all
> 
> # avoid caching of results from IP lookup services (unclear why they're cached
> # anyway, i.e. whether squid configuration of HTTP reply is badly configured)
> acl ip_services dstdomain "/etc/squid3/no-cache.acl"
> cache deny ip_services

To answer the implied question. This is probably a side effect of the
unusual ".*" refresh pattern and/or the domain_all ACL used.

Try removing all of the above "cache" lines. If you still need to deny
these after fixing the refresh_patterns, then add back only the
p_services rule with ACL entries relevant to the new situation.

> 
> always_direct  allow ip_services
> 

Okay, remove the always_direct line. You are not using cache_peer's.

> 
> ## Cache storage
> maximum_object_size 20 GB
> maximum_object_size_in_memory 20 MB
> minimum_object_size 0 KB
> 
> 
> ## Others
> range_offset_limit -1
> 
> dns_v4_first on

See if you can remove the above. A properly working network does not
need it. If issues appear when its not used, then they *need* to be
fixed. Regular attempts should be tried anyway even if you find you have
to add it back in for a while.

Amos



More information about the squid-users mailing list