[squid-users] HTTPS cache for Java application - only getting TCP_MISS

Tomas Finnøy baretomas at protonmail.com
Thu Jun 14 15:49:59 UTC 2018


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On June 14, 2018 1:25 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 14/06/18 07:28, baretomas wrote:
> 
> > Hello,
> > 
> > I'm setting up a Squid proxy as a cache for a number (as many as possible)
> > 
> > of identical JAVA applications to run their web calls through. The calls are
> > 
> > ofc identical, and the response they get can safely be cached for 5-10
> > 
> > seconds.
> > 
> > I do this because most of the calls is directed at a single server on the
> > 
> > internet that I don't want to hammer, since I will ofc be locked out of it
> > 
> > then.
> > 
> > Currently Im simply testing this on a single computer: the application and
> > 
> > squid
> > 
> > The calls from the application is done using ssl / https by telling java to
> > 
> > use Squid as a proxy (-Dhttps.proxyHost and -Dhttp.proxyHost). I've set up
> > 
> > squid and JAVA with self-signed certificates, and the application sends its
> > 
> > calls through squid and gets the reponse. No problem there (wasnt easy that
> > 
> > either I must say :P ).
> 
> I was going to ask what was so hard about it. Then I looked at your
> 
> config and see that your are in fact using NAT interception instead of
> 
> the easy way.
> 
> So what exactly do those -D options cause the Java applications to do
> 
> with the proxy?
> 
> I have some suspicions, but am not familiar enough with Java API and
> 
> the specific details are critical to what you need the proxy to be doing.
> 
> > The problem is that none of the calls get cached: All rows in the access.log
> > 
> > hava a TCP_MISS/200 tag in them.
> > 
> > I've searched all through the web for a solution to this, and have tried
> > 
> > everything people have suggested. So I was hoping someone could help me?
> > 
> > Anyone have any tips on what to try?
> 
> There are three ways to do this:
> 
> 1.  if you own the domain the apps are connecting to. Setup the proxy as
>     
>     a normal TLS / HTTPS reverse-proxy.
>     
> 2.  if you have enough control of the apps to get them connecting with
>     
>     TLS to the proxy and sending their requests there. Do that.
>     
> 3.  the (relatively) complicated SSL-Bump way you found. The proxy is
>     
>     fully at the mercy of the the messages sent by apps and servers. Caching
>     
>     is a luxury here, easily broken / prevented.
>     
>     Well, there is a forth way with intercept. But that is a VERY last
>     
>     resort and you already have (3) going and that is already better than
>     
>     intercept. Getting to (1) or (2) would be simplest if you meet the "if
>     
>     ..." requirements for those.
>     
> 
> > MY config (note Ive set the refresh_pattern like that just to see if I could
> > 
> > catch anything. The plan is to modify it so it actualyl does refresh the
> > 
> > responses frmo the web calls in 5-10 seconds intervals. There are commented
> > 
> > out pats Ive tried with no luck there too):
> 
> ...
> 
> Ah. The way you write that implies a misunderstanding about refresh_pattern.
> 
> HTTP has some fixed algorithms written into the protocol that caches are
> 
> required to perform to determine if any object stored can be used or
> 
> requires replacement.
> 
> The parameters used by these algorithms come in the form of headers in
> 
> the originally stored reply message, the current clients request.
> 
> Sometimes they require revalidation, which is a quick check with the
> 
> server for updated instructions and/or content.
> 
> What refresh_pattern actually does is provide default values for those
> 
> algorithm parameters IF any one (or more) of them are missing from those
> 
> HTTP messages.
> 
> The proper way to make caching happen with your desired behaviour is for
> 
> the server to present HTTP Cache-Control header saying the object is
> 
> cacheable (ie does not forbid caching), but not for more than 10seconds.
> 
> Cache-Control: max-age=10
> 
> OR to say that objects need revalidation, but presents a 304 status for
> 
> revalidation checks. (ie Cache-Control:no-cache) (yeah, thats right,
> 
> "no-cache" means do cache).
> 
> That said, I doubt you really are wanting to force that and would be
> 
> happy if the server was instructing the the proxy as being safe to cache
> 
> an object for several minutes or any value larger than 10sec.
> 
> So what we circle back to is that you are probably trying to force
> 
> things to cache and be used long past their actual safe-to-use lifetimes
> 
> as specified by the devs most authoritative on that subject (under
> 
> 10sec?). As you should be aware, this is highly unsafe thing to be doing
> 
> unless you are one of those devs - be very careful what you choose to do.
> 
> > Squid normally listens to port 3128
> > ===================================
> > 
> > #http_port 3128 ssl-bump generate-host-certificates=on
> > 
> > dynamic_cert_mem_cache_size=4MB cert=/cygdrive/c/squid/etc/squid/correct.pem
> > 
> > key=/cygdrive/c/squid/etc/squid/ssl/myca.key
> > 
> > http_port 3128 ssl-bump generate-host-certificates=on
> > 
> > dynamic_cert_mem_cache_size=4MB
> > 
> > cert=/cygdrive/c/squid/etc/squid/proxyCAx.pem
> > 
> > key=/cygdrive/c/squid/etc/squid/proxyCA.pem
> > 
> > #https_port 3129 cert=/cygdrive/c/squid/etc/squid/proxyCAx.pem
> > 
> > key=/cygdrive/c/squid/etc/squid/proxyCA.pem
> 
> Hmm. This is a Windows machine running Cygwin?
> 
> FYI: Performance is going to be terrible. It may not be super relevant
> 
> yet. Just be aware that Windows imposes limitations on usable sockets
> 
> per application - which is much smaller than a typical proxy requires.
> 
> The Cygwin people do a lot but they cannot solve some OS limitation
> 
> problems.
> 
> To meet your very first sentence "as many as possible" requirement you
> 
> will need a non-Windows machine to run the proxy on. That simple change
> 
> will get you something around 3 orders of magnitude higher peak client
> 
> capacity on the proxy.
> 
> > Uncomment the line below to enable disk caching - path format is
> > ================================================================
> > 
> > /cygdrive/<full path to cache folder>, i.e.
> > 
> > #cache_dir aufs /cygdrive/c/squid/var/cache/ 3000 16 256
> > 
> > certificate generation program
> > ==============================
> > 
> > sslcrtd_program /cygdrive/c/squid/lib/squid/ssl_crtd -s
> > 
> > /cygdrive/c/squid/var/cache/squid_ssldb -M 4MB
> > 
> > Leave coredumps in the first cache dir
> > ======================================
> > 
> > coredump_dir /var/cache/squid
> > 
> > Add any of your own refresh_pattern entries above these.
> > ========================================================
> > 
> > #refresh_pattern ^ftp: 1440 20% 10080
> > 
> > #refresh_pattern ^gopher: 1440 0% 1440
> > 
> > #refresh_pattern -i (/cgi-bin/|?) 0 0% 0
> > 
> > #refresh_pattern -i (/cgi-bin/|?) 1440 100% 4320 ignore-no-store
> > 
> > override-lastmod override-expire ignore-must-revalidate ignore-reload
> > 
> > ignore-private ignore-auth
> > 
> > refresh_pattern . 1440 100% 4320 ignore-no-store override-lastmod
> > 
> > override-expire ignore-must-revalidate ignore-reload ignore-private
> > 
> > ignore-auth override-lastmod
> 
> -   ignore-must-revalidate actively reduces caching. Because it disables
>     
>     several of the widely used HTTP mechanisms that rely on revalidation to
>     
>     allow things to be stored in a cache.
>     
>     It is only beneficial if the server is broken; requiring revalidation
>     
>     plus not supporting revalidation.
>     
> -   ignore-auth same un-intuitive effects as ignoring revalidation, again
>     
>     reducing caching ability.
>     
>     This is only useful if you want to prevent caching of contents which
>     
>     require any form of login to view. High security networks dealing with
>     
>     classified or confidential materials find this useful - regular Internet
>     
>     admin not so much.
>     
> -   ignore-no-store is highly dangerous and rarely necessary. The "nuclear
>     
>     option" for caching. It has the potential to eradicate user privacy and
>     
>     scramble up any server personalized content (not in a good way).
>     
>     This is a last resort intended only to copy with severely braindead
>     
>     applications. YMMV whether you have to deal with any of those - just
>     
>     treat this an absolute last resort rather than something to play with.
>     
>     Overall - in order to use these refresh-pattern controls you need to
>     
>     know what the HTTP(S) messages going through your proxy contain in terms
>     
>     of caching headers AND what those messages are doing semantically /
>     
>     content wise for the client application. Using any of them as a generic
>     
>     "makes caching better" thing only leads to problems in todays HTTP protocol.
>     
> 
> > Bumped requests have relative URLs so Squid has to use reverse proxy
> > ====================================================================
> > 
> > or accelerator code. By default, that code denies direct forwarding.
> > ====================================================================
> > 
> > The need for this option may disappear in the future.
> > =====================================================
> > 
> > #always_direct allow all
> > 
> > dns_nameservers 8.8.8.8 208.67.222.222
> 
> Use of 8.8.8.8 is known to be explicitly detrimental to caching
> 
> intercepted traffic.
> 
> Those servers present different result sets based on the timing and IP
> 
> sending the query. The #1 requirement of caching intercepted (or
> 
> SSL-Bump'ed) content is that the client and proxy have the exact same
> 
> view of DNS system contents. Having the DNS reply contents change
> 
> between two consecutive and identical queries breaks that requirement.
> 
> > max_filedescriptors 3200
> > 
> > Max Object Size Cache
> > =====================
> > 
> > maximum_object_size 10240 KB
> > 
> > acl step1 at_step SslBump1
> > 
> > ssl_bump peek step1
> > 
> > ssl_bump bump all
> 
> This causes the proxy to attempt decryption of the traffic using crypto
> 
> algorithms based solely on the ClientHello details and its own
> 
> capabilities. There is zero server crypto capabilities known for the
> 
> proxy to use to ensure traffic can actually make it to the server.
> 
> You are rather lucky that it actually worked at all. Almost any
> 
> deviation (ie emergency security updates in future) at either client or
> 
> server or proxy endpoints risks breaking the communication through this
> 
> proxy.
> 
> Ideally there would be a stare action for step2 and them bump only at
> 
> step 3.
> 
> So in summary to the things to try to get better caching:
> 
> -   ditch 8.8.8.8. Use a local DNS resolver within your own network,
>     
>     shared by clients and proxy. That can use 8.8.8.8 itself, the important
>     
>     part is that it should be responsible for caching DNS results and
>     
>     ensuring the app clients and Squid see as much the same records as possible.
>     
> -   try "debug_options 11,2" to get a cache.log of the HTTP(S) headers for
>     
>     message being decrypted in the proxy. Look at those headers to see why
>     
>     they are not caching normally. Use that info to inform your next
>     
>     actions. It cannot tell you how the message is used by the application,
>     
>     hopefully you can figure that out somehow before forcing anything unnatural.
>     
> -   if you can, try pasting some of the transaction URLs into the tool at
>     
>     redbot.org to see if there are any HTTP level mistakes in the apps that
>     
>     could be fixed for better cacheability.
>     
>     Amos


Very much thanks for this very informative post to my question! I will spend some time understanding it, and try out the things you suggest!
Thanks again!



More information about the squid-users mailing list