Amos I removed the max-age from the http headers and SQUID kept the file in the cache directory. The problem is that only the first request needs to authenticate. Is there any way I can configure SQUID / back-end server to force the authentication on each request but will serve the data from the cache dir? Thank you. -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Tuesday, February 12, 2008 13:43 PM To: Tomer Brand Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: SQUID cache proxy with SSL (Version 3.0 STABLE-1) Tomer Brand wrote: > Hi, > > I am trying to configure squid to function as SSL cache proxy for an authenticated object (using login=PASS in the cache_peer directive) > To do that I've added the "cache-control=public, must-revalidate, max-age=0" directive to the back-end server whose files I would like to cache. > This works great for me when configuring a non-SSL(port 6666) SQUID-based proxy. > However when I access the proxy using SSL (port 4444 below) the cache file is deleted every time and the cache is not used. Which is what max-age=0 means. "never use again". I think, leave that off an it will do IMS on each request. > > SQUID receives HTTPS requests, performs the SSL termination as expected, gets the data from the back end server and saves the file to the cache directory. > > Then I pass the SQUID HTTP request, asking for the same file. SQUID serves the data from the cache. > Next step is to ask the same file with HTTPS. This time SQUID clears that file from the cache and download it from the back end server. > > So I used Wireshark to identify the difference: > SQUID pass the HTTP request using the If-None-Match header while the HTTPS request doesn't contain this directive in the header. > > Anyone got any idea? > > bellow is my squid.conf file: > > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl localhostdomain src 10.10.10.10 > acl to_localhost dst 127.0.0.0/8 > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 6666 # SQIOD port > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow all > icp_access allow localnet > icp_access deny all > htcp_access allow localnet > htcp_access deny all > https_port 4444 vhost vport cert=/home/tomer/Desktop/certificate.pem key=/home/tomer/Desktop/key.pem > http_port 6666 vhost vport > cache_peer 10.10.10.10 parent 8050 0 originserver default login=PASS > cache_dir ufs /usr/local/squid/var/cache 100 16 256 > maximum_object_size 2097000 KB # A bit below 2 GB - SQUID maximum file size hierarchy_stoplist cgi-bin ? > access_log /usr/local/squid/var/logs/access.log squid > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > icp_port 3130 > coredump_dir /usr/local/squid/var/cache > visible_hostname ubuntu > -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.