[squid-users] Squid 6.10 SSL-Bump Woes

Fri Oct 11 18:10:16 UTC 2024

root at squid:~# curl -i --insecure --proxy http://squid:3128/ "
https://10.170.31.75/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
"
HTTP/1.1 200 Connection established

HTTP/1.1 200 OK
Link: <http://redfish.dmtf.org/schemas/v1/Z.v1_5_2.json>; rel=describedby
Allow: GET
Content-Length: 1173
Content-Type: application/json; charset=UTF-8
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self';connect-src 'self' ws:
wss:;frame-src 'self';img-src 'self' data:;object-src 'self';font-src
'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src
'self' 'unsafe-inline';worker-src 'self' blob:;
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
OData-Version: 4.0
Date: Fri, 11 Oct 2024 18:03:49 GMT
Cache-Status: squid;detail=mismatch
Via: 1.1 squid (squid/6.10)
Connection: keep-alive
Cache-Control: public, max-age=1800

Second run:

curl -i --insecure --proxy http://squid:3128/ "
https://10.170.31.75/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
"
HTTP/1.1 200 Connection established

HTTP/1.1 200 OK
Link: <http://redfish.dmtf.org/schemas/v1/Z.v1_5_2.json>; rel=describedby
Allow: GET
Content-Length: 1173
Content-Type: application/json; charset=UTF-8
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self';connect-src 'self' ws:
wss:;frame-src 'self';img-src 'self' data:;object-src 'self';font-src
'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src
'self' 'unsafe-inline';worker-src 'self' blob:;
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
OData-Version: 4.0
Date: Fri, 11 Oct 2024 18:05:16 GMT
Cache-Status: squid;detail=mismatch
Via: 1.1 squid (squid/6.10)
Connection: keep-alive
Cache-Control: public, max-age=1800

Logs:

1728669831.300     40 10.65.34.5 NONE_NONE/200 0 CONNECT 10.170.31.75:443 -
HIER_NONE/- - [Host: 10.170.31.75:443\r\nUser-Agent:
curl/7.81.0\r\nProxy-Connection: Keep-Alive\r\n] [HTTP/1.1 200 Connection
established\r\n\r\n]
1728669831.847    546 10.65.34.5 TCP_MISS/200 2000 GET
https://10.170.31.75/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
- HIER_DIRECT/10.170.31.75 application/json [Host:
10.170.31.75\r\nUser-Agent: curl/7.81.0\r\nAccept: */*\r\n] [HTTP/1.1 200
OK\r\nLink: <http://redfish.dmtf.org/schemas/v1/Z.v1_5_2.json>;
rel=describedby\r\nAllow: GET\r\nContent-Length: 1173\r\nContent-Type:
application/json; charset=UTF-8\r\nStrict-Transport-Security:
max-age=31536000; includeSubdomains\r\nX-XSS-Protection: 1;
mode=block\r\nContent-Security-Policy: default-src 'self';connect-src
'self' ws: wss:;frame-src 'self';img-src 'self' data:;object-src
'self';font-src 'self' data:;script-src 'self' 'unsafe-inline'
'unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self'
blob:;\r\nX-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options:
nosniff\r\nOData-Version: 4.0\r\nDate: Fri, 11 Oct 2024 18:03:49
GMT\r\nCache-Status: squid;detail=mismatch\r\nVia: 1.1 squid
squid/6.10)\r\nConnection: keep-alive\r\nCache-Control: public,
max-age=1800\r\n\r\n]
1728669917.657     39 10.65.34.5 NONE_NONE/200 0 CONNECT 10.170.31.75:443 -
HIER_NONE/- - [Host: 10.170.31.75:443\r\nUser-Agent:
curl/7.81.0\r\nProxy-Connection: Keep-Alive\r\n] [HTTP/1.1 200 Connection
established\r\n\r\n]
1728669918.269    611 10.65.34.5 TCP_MISS/200 2000 GET
https://10.170.31.75/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
- HIER_DIRECT/10.170.31.75 application/json [Host:
10.170.31.75\r\nUser-Agent: curl/7.81.0\r\nAccept: */*\r\n] [HTTP/1.1 200
OK\r\nLink: <http://redfish.dmtf.org/schemas/v1/Z.v1_5_2.json>;
rel=describedby\r\nAllow: GET\r\nContent-Length: 1173\r\nContent-Type:
application/json; charset=UTF-8\r\nStrict-Transport-Security:
max-age=31536000; includeSubdomains\r\nX-XSS-Protection: 1;
mode=block\r\nContent-Security-Policy: default-src 'self';connect-src
'self' ws: wss:;frame-src 'self';img-src 'self' data:;object-src
'self';font-src 'self' data:;script-src 'self' 'unsafe-inline'
'unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self'
blob:;\r\nX-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options:
nosniff\r\nOData-Version: 4.0\r\nDate: Fri, 11 Oct 2024 18:05:16
GMT\r\nCache-Status: squid;detail=mismatch\r\nVia: 1.1 squid
(squid/6.10)\r\nConnection: keep-alive\r\nCache-Control: public,
max-age=1800\r\n\r\n]

1728669831.847 RELEASE -1 FFFFFFFF 020000000000000031450B0001000000  200
1728669829        -1        -1 application/json 1173/1173 GET
https://10.170.31.75/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
1728669918.269 RELEASE -1 FFFFFFFF 02000000000000002E450B0004000000  200
1728669916        -1        -1 application/json 1173/1173 GET
https://10.170.31.75/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics

Cache log:
https://p.bsd-unix.net/?bfc9a1568c49f0b6#89PnEqmjNr7iLh1ZYTLVbgbt4FouhW2RekSxeaZ3xZZs

Happy to jump on irc/discord/matrix/whatever for help if easier to debug!

Thanks!

On Fri, Oct 11, 2024 at 4:17 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 11/10/24 11:08, Bryan Seitz wrote:
> > I removed the header mods and changed the refresh pattern to:
> >
> > refresh_pattern .               15      20%     1800    override-expire
> > ignore-no-cache ignore-no-store ignore-private
> >
> > And I always get TCP_MISS.  Any other thoughts?
>
> Ah, I believe it would be best to get a baseline of what Squid default
> behaviour is like in your environment. So we can identify what/how you
> need to improve it.
>
>
> Firstly, FYI; this is what those controls **actually** do in current
> Squid ..
>
>   * override-expires ... forces Squid to handle all responses to act as
> if they received "Cache-Control: max-age=900" (15 min) ... store, but
> revalidate 180+ seconds (20% of 15min) later.
>    Result: Anything that could cache longer than 15min becomes a
> REFRESH_MISS or MISS, instead of HIT.
>    Squid default: **do** cache. Revalidate
>      * after("Date"+"CC: max-age=N") timestamp, otherwise
>      * after "Expires" timestamp, otherwise
>      * after ("Date" +1800 minutes) timestamp.
>
>   * ignore-no-cache ... the standardized "CC: no-cache" is badly named,
> it tells Squid what **can** be cached.
>    Result: Squid will discard many stored objects and perform a MISS
> instead.
>    Squid default: **do** cache "CC:private" responses, revalidate on
> HIT. Log as REFRESH.
>
>   * ignore-no-store ... force everything marked "CC: no-store" to be
> stored.
>   Result: cache fills with non-reusable objects. Leaving not much room
> for actual HIT objects.
>    Squid default: store only objects with can result in more HITs.
>
>   * ignore-private ... force everything with "CC: private" to be discarded.
>    Result: same as "ignore-no-store".
>    Squid default: **do** cache "CC:private" responses, revalidate on HIT.
>
> Note that both HIT and REFRESH mean the object **was** cached.
>
>
> You said that the access.log now contains MISS. Would that be just
> "MISS" or "REFRESH" + "MISS" (actually a HIT, but a new object was given
> by the server and replaced the pre-stored object).
>
>
> Can you show a pair of request headers from the client, with matching
> response from the server?  You can use "debug_options 11,2" in recent
> Squid versions to get a cache.log trace of the HTTP transactions.
>
> That might help us spot something more specific. The config change makes
> the earlier given ones obsolete.
>
>
> HTH
> Amos
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>

-- 
Bryan Seitz
seitzbg at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20241011/9a23d151/attachment-0001.htm>