[squid-users] Thoughts on caching aspx jsp asp cgi-bin

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 1 16:06:27 UTC 2025 

On 1/01/25 21:21, Robin Wood wrote:
> I'm going to massively over simplify things here, but you can think of 
> it like this.
> 
> Files with html extensions are static web pages, you write them, put 
> them on the server, and they are served as they are, no changes.
> 
> Asp and the others are dynamic files, they are processed by an app on 
> the server before they are sent to the client. This app may do nothing, 
> so the page comes as it was, but usually it will add content. This 
> content could be to create a CMS page by pulling the page content from a 
> database, it could be your shopping orders pulled from your account, or 
> it could be your current bank statement.
> 
> Caching should never be done on anything that is specific to a single 
> user, so it's fine to cache public CMS content with an asp extension, 
> but not your bank statement.
> 
> There is more to it than that, but hopefully that gives you a general idea.
> 


That is mostly correct for simple HTTP/1.0-like behaviour.

With HTTP/1.1 and later things are a little different. The biggest 
change is that URL no longer matters. The Content-Typereplaces "fiel 
extension" entirely, and Cache-Control headers take over the job of 
defining how and when something can be cached.

For Squid, the refresh_pattern directive is what provides compatibility 
with HTTP 1.0 behaviour. It provides values for any Cache-Control 
settings the server omitted (eg for servers acting like HTTP/1.0 still).

The default "refresh_pattern -i (/cgi-bin/|\?) 0 0% 0" configuration 
line tells Squid the values which will perform HTTP/1.0 caching 
behaviour for any of the dynamic content coming out of broken or old 
cgi-bin services or anythign with query-string ('?...') URL.


Jonathan: if you have not changed the refresh_pattern's you do not have 
to care specifically about dynamic-vs-static content caching. Whether it 
is plain-text HTTP(S) or SSL-Bump'ed HTTPS, it **should** all cache 
properly for its server-claimed needs.

Your "cache deny" policy in squid.conf is telling Squid **never** to 
cache any URL containing the ACL-matching strings. Even if they could be 
cached safely.


HTH
Amos



> Robin
> 
> On Tue, 31 Dec 2024, 23:07 Jonathan Lee wrote:
> 
>     Thanks I have to admit I am a student currently,
> 
>     I guess my last question is what do cgi-bin asp aspx asp files do
>     inside of websites? The reason I ask this is the rule below I have
>     seen the same rule on different websites so it must be the main ones
>     that cause issues. Is it just for dynamic content?
> 

...

>>>         acl QUERY urlpath_regex cgi-bin \? asp aspx jsp
>>>

This rule applies based on a string-match of the URL. It does not matter 
whether the content is "dynamic" or not. Nor does it matter what the 
server indicates about caching of the response for any matched URL.


>>>         ## Prevent caching jsp, cgi-bin etc
>>>         cache deny QUERY
>>>



>>>         Ref:
>>>         Setting up Explicit Squid Proxy <https://
>>>         wiki.alpinelinux.org/wiki/Setting_up_Explicit_Squid_Proxy>
>>>         wiki.alpinelinux.org>
>>>         	


Looking at that tutorial I see some major issues.

  1) the "basic configuration" is very different from the official 
squid.conf (see 
<https://wiki.squid-cache.org/Releases/Squid-5#squid-5-default-config>, 
same applies for v6)

  2) the SSL-Bump example configuration disables **all** security 
features of TLS and makes it extremely difficult to even detect 
hijacking of the proxy.
   Basically this is a tutorial of how to setup an open-proxy that 
allows malware to abuse your network as a base of operations.

While the official Squid wiki page on SSL-Bump peek and splice has not 
been updated in a while it is still **much** better to follow than this 
one. At least for that particular section of details.
  see <https://wiki.squid-cache.org/Features/SslPeekAndSplice>

(I hope someone in the Alpine community can fix the above issues ASAP.)


Amos



>>>         <favicon.png>
>>>          <https://wiki.alpinelinux.org/wiki/
>>>         Setting_up_Explicit_Squid_Proxy>
>>>
>>>         <https://wiki.alpinelinux.org/wiki/
>>>         Setting_up_Explicit_Squid_Proxy>
>>         _______________________________________________
>>         squid-users mailing list
>>         squid-users at lists.squid-cache.org <mailto:squid-
>>         users at lists.squid-cache.org>
>>         https://lists.squid-cache.org/listinfo/squid-users <https://
>>         lists.squid-cache.org/listinfo/squid-users>
>>
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list