Re: [squid-users] Conditional Caching

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 29 Jul 2009 11:14:05 +1200

On Tue, 28 Jul 2009 06:14:37 -0700 (PDT), xetorthio <ionathan_at_gmail.com>
wrote:
> Amos Jeffries-2 wrote:
>>
>> Thats not good.
>> What version of Squid is this and what does your configuration file
>> contain?
>> (without the config comments and empty lines please)
>>
>
> Hi Amos,
> The version of the squid that I'm using is: squid-2.7.STABLE6
> My configuration file is the following:
>
> http_port 10.0.0.10:8983 accel vhost
> http_port 3128
> hierarchy_stoplist cgi-bin
> acl QUERY urlpath_regex cgi-bin
> no_cache deny QUERY
> cache_mem 7168 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size 4096 KB
> minimum_object_size 0 KB
> cache_replacement_policy lru
> memory_replacement_policy lru
> cache_dir diskd /var/cache/squid/1/vol1 20000 100 10
> cache_dir diskd /var/cache/squid/1/vol2 20000 100 10
> access_log /var/log/squid/1/access.log
> cache_log /var/log/squid/1/cache.log
> cache_store_log none
> cache_swap_log /var/cache/squid/1/
> emulate_httpd_log on

emulate_* is deprecated. Just set:
  access_log /var/log/squid/1/access.log common

> log_ip_on_direct off
> mime_table /etc/squid/mime.conf
> log_mime_hdrs off
> pid_filename /var/run/squid/1.pid
> log_fqdn off
> client_netmask 255.255.255.255
> redirect_rewrites_host_header off
> auth_param basic children 5
> auth_param basic realm OLX Cache Manager
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl monitor src 10.0.0.100/255.255.255.255
> acl web_ports port 8983 8080 80
> http_access allow web_ports

The above allows unlimited access for any reason for someone attempting to
reach _any_ destination on port 80 or port 8080 or port 8983.
This is VERY DANGEROUS when you have a forward-proxy port open (your:
http_port 3128).

See the correct configuration for accelerator mode:
  http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
  http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting

Reverse proxy configuration should ONLY allow requests which terminate on
the peers. "allow destination port 80" does not indicate the destination
peer machine in any way.

Forward proxy mode security should be configured normally _after_ the
restrictive reverse-proxy configuration.

> http_access allow manager localhost
> http_access allow manager monitor
> http_access deny manager
> acl purge method PURGE
> http_access allow purge localhost
> http_access allow purge monitor
> http_access deny purge
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_peer 172.28.1.44 parent 8983 0 no-query originserver login=PASS
> cache_mgr infrastructure_at_olx.com
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname solr1.proxy1.olx.com
> httpd_suppress_version_string on
> icon_directory /usr/local/squid/share/icons
> coredump_dir /var/cache/squid/1/
>

I can't see any reason there why Squid could be changing the method from
POST to GET.

check the traffic between Squid and the client to see if a 30x message is
coming back from the web app when POST is sent. If that happens most
browsers will follow up with the same URL or one from the 30x Location:
header using GET. Some browsers may retry the POST to the new location.

Do you have an example of the POST request going into squid and the GET
coming out?

Amos
Received on Tue Jul 28 2009 - 23:14:10 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 29 2009 - 12:00:05 MDT