|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Heh. The same question I've asked early. Condolences. You can try at your own risk. But.... B1 security and your full responsibility. 25.09.15 1:32, Jorgeley Junior пишет: > So, if my traffic are more https than http there's no need to use squid. > Man, most of sites are https, what's the purpose of using squid? > > 2015-09-24 16:13 GMT-03:00 Yuri Voinov <yvoinov@xxxxxxxxx>: > >> > First. This is potentially dangerous. Can you guarantee your proxy never > has physical/network access by intruders? HTTPS can contain sensitive data. > You really sure you want problems with users? AS a minimum you need protect > your proxy at level B2 (by Orange Book). > > Second. Yes, it dangerous, but possible with SSL Bump. With very agressive > cache parameters and with conjunction previous sentence. So, this is > dangerous for many sites - for it's functionality and security, in general. > > You still sure you want to do this? > > 24.09.15 20:46, Jorgeley Junior пишет: > >>> Can we do that to cache https? > >>> http_port 3128 ssl-bump generate-host-certificates=on > >>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/monkey.pem > >>> > >>> 2015-09-24 11:24 GMT-03:00 Jorgeley Junior <jorgeley@xxxxxxxxx> > <jorgeley@xxxxxxxxx>: > >>> > >>>> Is it not possible to cache the https due the encryption? > >>>> > >>>> 2015-09-18 9:44 GMT-03:00 Antony Stone > <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> > >>>> : > >>>> > >>>>> On Friday 18 September 2015 at 14:27:42, Jorgeley Junior wrote: > >>>>> > >>>>>> there is a way to improve it? > >>>>> > >>>>> Improve what? The percentage of your traffic which is cached, or the > >>>>> accuracy > >>>>> of the information reported by your monitoring system? > >>>>> > >>>>> > >>>>> If you want to cache more content: > >>>>> > >>>>> 1. Make sure the sites being visited have available content (note that > >>>>> 12.6% > >>>>> of your requests resulted in the remote server saying some variation on > >>>>> "nothing available"). > >>>>> > >>>>> 2. Ignore things which are meaningless - such as the 27% of your > requests > >>>>> which resulted in 407 Authentication Required - that tells you nothing > >>>>> about > >>>>> whether the user then successfully authenticated and got what they > >>>>> wanted, or > >>>>> didn't, but either way it's a standard response from the server which > >>>>> tells > >>>>> you nothing about the effectiveness of your cache. > >>>>> > >>>>> 3. Make sure your traffic is HTTP instead of HTTPS. > >>>>> > >>>>> 4. Make sure your users are visiting the same sites repeatedly so that > >>>>> content > >>>>> which gets cached gets re-used. > >>>>> > >>>>> 5. Make sure the sites they're visiting are not setting "don't cache" > or > >>>>> "already expired" headers (such as is common for news sites, for > example) > >>>>> so > >>>>> that the content is cacheable. > >>>>> > >>>>> 6. Run your cache for long enough that it's likely to have a > >>>>> representative > >>>>> proportion of what the users are asking for when you start measuring > its > >>>>> effectiveness - if you start from an empty cache and pass requests > >>>>> through it, > >>>>> it's going to take some time for the content to build up so that you > see > >>>>> some > >>>>> hits. > >>>>> > >>>>> > >>>>> If you want to improve the information you're getting from the > monitoring > >>>>> system, make sure it's telling you how much was cached as a proportion > of > >>>>> requests which could have been cached - in other words, leave out HTTPS > >>>>> (36%) > >>>>> and 407 Auth Required (27%), plus anything where the remote server had > >>>>> nothing > >>>>> to provide (13%), and requests where the user's browser already had a > >>>>> cached > >>>>> copy and didn't to request an update (4%). > >>>>> > >>>>> That throws out 80% of your current statistics, so you concentrate on > the > >>>>> data > >>>>> about connections Squid *could* have helped with. > >>>>> > >>>>>> 2015-09-18 8:25 GMT-03:00 Antony Stone: > >>>>>>> On Friday 18 September 2015 at 13:13:27, Jorgeley Junior wrote: > >>>>>>>> hey guys, forgot-me? :( > >>>>>>> > >>>>>>> Surely you can see for yourself how many connections you've had of > >>>>>>> different types? Here are the most common (all those over 100 > >>>>> instances) > >>>>>>> from your list of 5240 results > >>>>>>> > >>>>>>>>> 290 TAG_NONE/503 > >>>>>>>>> 368 TCP_DENIED/403 > >>>>>>>>> 1421 TCP_DENIED/407 > >>>>>>>>> 680 TCP_MISS/200 > >>>>>>>>> 192 TCP_REFRESH_UNMODIFIED/304 > >>>>>>>>> 1896 TCP_TUNNEL/200 > >>>>>>> > >>>>>>> So: > >>>>>>> > >>>>>>> 290 (5.5%) got a 503 result (service unavailable) > >>>>>>> 368 (7%) were denied by the remote server with code 403 (forbidden) > >>>>>>> 1421 (27%) were deined by the remote server with code 407 (auth > >>>>> required) > >>>>>>> 680 (13%) were successfully retreived from the remote servers but > were > >>>>>>> not previously in your cache > >>>>>>> 192 (3.6%) were already cached by your browser and didn't need to be > >>>>>>> retreived > >>>>>>> 1896 (36%) were successful HTTPS tunneled connections, simply being > >>>>>>> forwarded > >>>>>>> by the proxy > >>>>>>> > >>>>>>> This accounts for 4847 (92.5%) of your 5240 results. > >>>>>>> > >>>>>>> As you can see, just measuring HIT and MISS is not the whole picture. > >>>>>>> > >>>>>>> > >>>>>>> Hope that helps, > >>>>>>> > >>>>>>> > >>>>>>> Antony. > >>>>> > >>>>> -- > >>>>> "The problem with television is that the people must sit and keep their > >>>>> eyes > >>>>> glued on a screen; the average American family hasn't time for it." > >>>>> > >>>>> - New York Times, following a demonstration at the 1939 World's Fair. > >>>>> > >>>>> Please reply to the > >>>>> list; > >>>>> please *don't* > >>>>> CC me. > >>>>> _______________________________________________ > >>>>> squid-users mailing list > >>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx > >>>>> http://lists.squid-cache.org/listinfo/squid-users > >>>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> > >>>> > >>>> > >>> > >>> > >>> -- > >>> > >>> > >>> > >>> _______________________________________________ > >>> squid-users mailing list > >>> squid-users@xxxxxxxxxxxxxxxxxxxxx > >>> http://lists.squid-cache.org/listinfo/squid-users > >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> >> > > > -- > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWBGJNAAoJENNXIZxhPexGJ1gIAKBJIiLf0OIX/sFyqGMDGUkR gUQ1rbc3GXcqMylz8s7bH991/GfxC1cl69XqnN81rViZfPJ/uEm0PDlZg76AhCV7 7nn837cOYtOnlubN229k1d2s5IGK+sH7/gwk4aR9vymnd4rzgmtMBT3r/VB0QcMZ x3EmFU2I+/lENmhLjiKKAXC+kVmIy2zH5q9jRgNuzTKp0fb9p6sSKd3lb/k91FZr ZyYf87q8I4vZcJc9rsKBFWbMWNn/CxSIJkFzRcjSCviryjb2ebDPDRrCCHDWBHqK j/fP/0naWFeSj52bEe84LdN10db9wCJsjS+7K8qz1n6znMbrJ5iZ5YGqJ4g7mhU= =agwC -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
