[squid-users] Question: Force the caching of 302 responses without Expires header and with Strict-Transport-Security max-age header?

Alex Rousskov rousskov at measurement-factory.com
Fri Jan 3 20:19:30 UTC 2020 

On 1/3/20 11:14, Andrei Pozolotin wrote:
> 3. here are response details via curl:
> 
> a)
> 
> curl --head 
> https://archive.archlinux.org/repos/2020/01/01/community/os/x86_64/python-wheel-0.33.6-3-any.pkg.tar.xz
> 
> HTTP/2 302
> server: nginx/1.16.1
> date: Fri, 03 Jan 2020 17:56:14 GMT
> content-type: text/html
> content-length: 145
> location: 
> https://archive.org/download/archlinux_pkg_python-wheel/python-wheel-0.33.6-3-any.pkg.tar.xz 
> 
> strict-transport-security: max-age=31536000; includeSubdomains; preload
> 
> b)
> 
> curl --head 
> https://archive.org/download/archlinux_pkg_python-wheel/python-wheel-0.33.6-3-any.pkg.tar.xz
> 
> HTTP/1.1 302 Found
> Server: nginx/1.14.0 (Ubuntu)
> Date: Fri, 03 Jan 2020 17:56:42 GMT
> Content-Type: text/html; charset=UTF-8
> Connection: keep-alive
> Accept-Ranges: bytes
> Location: 
> https://ia803100.us.archive.org/6/items/archlinux_pkg_python-wheel/python-wheel-0.33.6-3-any.pkg.tar.xz 
> 
> Strict-Transport-Security: max-age=15724800
> 
> 4. it seems that Strict-Transport-Security: max-age header is ignored 
> here by squid


Correct. Squid does not know anything about the 
Strict-Transport-Security header. The header is treated like an 
extension header (i.e. it is usually forwarded without interpreting its 
value).


> 5. any attempt to use any of the refresh_pattern options also has no effect:
> 
> http://www.squid-cache.org/Doc/config/refresh_pattern/

Yes, the decision to avoid caching of 302 responses without Expires is 
hard-coded. It is made before refresh_pattern is consulted AFAICT.


> Question: how can one force the caching of 302 responses
> without the Expires header and with Strict-Transport-Security max-age 
> header?


You can modify Squid to handle Strict-Transport-Security specially or 
you can write an ICAP or eCAP service that would add a "more standard" 
Cache-Control:max-age header to the response (with even more work, it 
would be possible to drop the added response header before it leaves Squid).


HTH,

Alex.

More information about the squid-users mailing list