On 21/08/2015 11:39 p.m., FredB wrote: > Hi all, > > I think I misunderstand something but why refresh pattern is not useless ? > I mean the objects are supposed to be delivered with instructions from the web server, lifetime, creation time, etc > Well, we like it when they do. Since that makes things easy and predictable. Especially for the third-party debugging. But no they are not actually required to. Still the HTTP freshness algorithm does have a certain fixed set of parameters that are needed to caculate freshness for every response object. In the absence of header values from the server the refresh_pattern whose regex matches the URL provides the default values for the parameters min/max-storage-time and lifetime-expectency-percent. > I thought, and it seem I'm wrong ?, that squid check the HTTP header when the object seems expired (HEAD request), if yes the object should be refreshed, or not, when is life is ended ? > Sending a HEAD request would use an RTT of latency, plus server CPU cycles just to figure out if another fetch was needed. HTTP/1.0 has to work that way because it has no revalidation mechanism. HTTP/1.1 revaidation collapses all that cost down into one with a conditional-GET request (aka, IMS or INM). Which either updates just headers, or headers+payload in one go. Still, by not sending explicit values the server is offering cache admin the privilege of deciding for themselves what type of storage profile to use. refresh_pattern is the squid.conf mechanism for doing that. > Force a long refresh pattern is not dangerous ? For example with some security files. > HTTP specs permit up to 68 years storage for any given item. That is imposed only by a need for age values to fit within a 32-bit integer. Objects with security sentitive details MUST be labelled appropriately as Expires:-1 and Cache-Control: private, no-store, no-transform - whichever applies to that objects data. Caches MUST obey those controls. "MUST" being the spec emphasis and meaning for mandatory requirement. And the key reason why I go on so much about not using the override-* and ignore-* options on refresh_pattern. Or at least targetting those patterns VERY specifically at sites that are so broken there is no choice. Every time they are used on an object it "breaks the Internet" for someone, usually the admins own users/customers. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users