Re: [squid-users] HTTP Headers

From: Craig Kelley <ckelley@dont-contact.us>
Date: 22 Apr 2003 08:45:57 -0600

On Tue, 2003-04-22 at 01:17, Henrik Nordstrom wrote:
> On Monday 21 April 2003 19.33, Craig Kelley wrote:
> > On Wed, 2003-03-05 at 15:50, Henrik Nordstrom wrote:
> > > On Wednesday 05 March 2003 23.18, Craig Kelley wrote:
> > > > I would rather just have
> > > > squid do the basic authentication, but from what I understand
> > > > it cannot reliably do this when in httpd_accel mode (?).
>
> > When I attempt to set this up, I get no caching. From my store.log
> > I see these entries:
> >
> > 1050944461.780 RELEASE -1 FFFFFFFF A517A3F93DAA31ADBE34FBD0D31BBFD3
> > 200 1050944461 1050942166 -1 text/plain 25600/25600 GET
> > http://ibncache/test2.dat
> >
> > Which, if I'm interpreting this correctly, means that it is
> > successfully parsing the Last-Modified header, but the "Expires"
> > (reply->expires) entry in the cache is set to "-1" for some reason.
>
> Most likely Squid does not realize that the authentication is to Squid
> and not the origin web server, and the rules of RFC2616 14.8
> Authorization still triggers.. (Squid only supports rule #3,
> Cache-Control: public).
>
> See httpCachableReply().

You nailed it!

I had sort of come to the same conclusion by placing debug messages in
http.c (in the case HDR_AUTHORIZATION switch). Our "root webserver"
from which the squid boxes accelerate is only accessable by the squid
caches, so I safely set the Cache-control to 'public' on that machine
and everything works beautifully.

The Java client that eventually consumes the informatoin is dumb, so it
always sends authentication information regardless (which squid
[rightfully] assumes should be sent to the root webserver).

In summary (for the list archives): We have various Squid boxes
geographically spread out which each provide authentication in a
transparent HTTP acceleration mode, functioning as a simple read-only
distributed filesystem. The Squid servers run in httpd_accel mode with
basic authentication on accounts that reside in the squid boxes. The
root webserver is firewalled off so that it can only speak with our
Squid servers.

-- 
Craig Kelley <ckelley@ibnads.com>
In-Store Broadcasting Network
Received on Tue Apr 22 2003 - 08:46:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:11 MST