[squid-users] Squid 4.2 : caching is not working
Hariharan Sethuraman
srnhari at gmail.com
Mon Sep 10 15:48:26 UTC 2018
Many thanks Alex, option 2 could work. Will check on security aspects.
Thanks again to everyone.
On Mon, 10 Sep 2018, 21:11 Alex Rousskov, <rousskov at measurement-factory.com>
wrote:
> On 09/10/2018 09:03 AM, Hariharan Sethuraman wrote:
>
> > 1) ok, the client does a GET /<resource> with authorization header. So I
> > cant cache unless I ask the site-owner to send the cache-control to
> > whatever it can enable the intermediate cache-server to persist it.
> > 2) Does squid-cache allow a way where I can upload the file into cache?
>
> You may have one or two Squid-related options AFAICT:
>
> 1. Configure Squid to remove the authentication headers going to the
> origin server (see request_header_access). If the origin server does not
> actually require authentication for this specific resource, then Squid
> will get a cachable response back. Assuming the server is not broken,
> this approach is safe. However, this approach will _not_ work if the
> server requires authentication for this resource.
>
> 2. Configure Squid to (use an adaptation service to) add Cache-Control
> response headers that would allow Squid to cache the authenticated
> response. Adding response headers pre-cache probably requires using an
> adaptation service -- Squid itself does not have a directive that would
> add response headers before the response is evaluated for cachability
> (reply_header_access is a post-cache directive so it will not work
> here). This approach should "work" regardless of the server behavior. As
> Amos has said, this approach is _unsafe_ -- you may cache and share a
> response with user-specific info in it. You should not do this unless
> you are absolutely sure that the response is safe to share!
>
> Changing the origin server behavior is the best option if it is
> available to you.
>
> Alex.
>
>
> > On Mon, Sep 10, 2018 at 8:21 PM Amos Jeffries wrote:
> >
> > On 11/09/18 2:27 AM, Hariharan Sethuraman wrote:
> > >
> > > On Mon, 10 Sep 2018, 19:46 Amos Jeffries wrote:
> > >
> > > On 11/09/18 12:18 AM, Hariharan Sethuraman wrote:
> > > >
> > > > 2) With more debug_options enabled, I see that it is not
> caching
> > > because
> > > > the response is part of authenticated flow. Is there a way I
> can
> > > > override this?
> > >
> > > No. The server is supplying sufficient headers for caching to
> > make it
> > > appear that the site authors intentionally are sending what
> > does get
> > > delivered.
> > >
> > > If I understand correctly, you are saying the caching will not be
> done
> > > on squid as the content is authorised by the specific client. We
> can't
> >
> > Authenticated, not authorized. This is one place where the difference
> > matters.
> >
> > > do anything until I ask site owners to change cache control as
> public?
> > >
> >
> > Pretty much, yes. I know Chrome at least used to deliver binaries
> whose
> > installer contained details of the Google account of the user
> fetching
> > it. So its not very safe to assume even downloaders are safely
> > transferable.
> >
> > Amos
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180910/4988d390/attachment.html>
More information about the squid-users
mailing list