On 26/08/2014 3:29 p.m., Lawrence Pingree wrote: > I'm not sure if this is right or not, but wouldn't your refresh patterns > need to have the "ignore-private" to cache ssl? Amos may know better, but I > don't see that option specified in your "All Files" refresh_patterns. HTTPS is not particularly private in the HTTP sense. It is just regular HTTP traffic wrapped in underlying transport security encryption. It does have a security scope difference from HTTP as to though due to that encryption. That scope difference is handled by the URL scheme portion. For example Squid must not and will not HIT on a http:// URL in cache for https:// request of otherwise identical URL, and vice versa. >From the administrative viewpoint there is a higher risk with HTTPS of application designers breaking things and making vulnerable software simply by not understanding the above. There is high pressure to get privacy protection right with "insecure" http:// but weak for "secure" https:// on things like OAuth traffic and eCommerce checkout pages where they should have sent Cache-Control:private or no-store regardless. Amos
