[squid-users] Fw: Re: Can`t cache always TCP_MISS

Amos Jeffries squid3 at treenet.co.nz
Fri May 13 13:40:56 UTC 2016


On 14/05/2016 12:14 a.m., Dzaczek wrote:
> http://codepaste.net/pvx4j1
> 

Doesn't seem to be anything obviously relating to your problem in there.



Though I have a few recommendations for improvements:

* use of always_direct is deviously the opposite of what one might
expecte from reading the config file.

I suggest replacing it with:
   http_access deny !whitelist

which better describes what it actually does currently: cause denial of
anything not on the whitelist.

Note that since nobody can get *out* of the proxy to any other site
there can't be any cached content for those requests to use. So no point
at all in even letting them into Squid. Which brings up...


* Your Squid could be doing a lot of work internally for things that are
not allowed to happen anyway.

Get better performance out of your proxy by doing the security checks on
traffic ingress (http_access) not on traffic egress (miss_access /
always_direct, request_header_access).


* the workday_site ACL is very dangerous.

It currently allows anyone to put the word "workday" into any URL to
bypass the other proxy ingress security.

I cant actually see any reason why this ACL and http_access exist.
localnet and localhost are permitted to do what they like anyway within
the whitelisted sites set.
 Ditto for the FTP / ftp ACL and http_access lines



* You have lost the default security check "http_access deny CONNECT
!SSL_ports"

 That one is particularly important seeing as CONNECT tunnels are not
subject to always_direct which is your main access control currently.
AND you have several http_access control allowing


* you have several things above the basic port security checks.

I know we used to say that was okay, but the world has moved on. Please
make sure "http_access deny !Safe_ports" is at the top of the
http_access list, and reinstate the above mentioned CONNECT rule right
after it.

Instead of placing things above these rules, adjust the Safe_ports and
SSL_ports lists as needed and only after careful consideration of
whether you have to.



* ignore-no-cache is obsolete since Squid-3.2.

It also does the opposite of what most people want to use it for. As in:
it _prevents_ caching of things in HTTP/1.1, or at least it would if
Squid did not ignore the obsolete config.

Likewise ignore-no-store and ignore-private are highly dangerous, but
for privacy breach reasons. Current releases of Squid the ignore-private
will make CC:private response headers operate as if they were
CC:must-revalidate.


* "header_replace Accept" does nothing unless you also
"request_header_access Accept deny ..."


* request_header_access does nothing useful on response headers.

Have a look through
<http://www.iana.org/assignments/message-headers/message-headers.xhtml>
referenced RFCs to see which ones are actually request headers. RFC 723x
(x being 0, 1, 2, 3, 4, 5, 8) are the main HTTP documents.

There are some like Transfer-Encoding, If-Match, If-None-Match,
If-Unodified-Since that you are causing to be removed but are needed by
Squid.

* there are quite a few directives being set to their current default
values.

You could simplify the config file a bit by removing those lines. In
Squid-3 you only need to configure things that you are changing from
their default behaviour.


Phew, hope thats the lot.

HTH
Amos


More information about the squid-users mailing list