On 11/04/2016 4:34 p.m., johnzeng wrote: > > Hello Dear Sir : > > i am trying to imporve hit ration for cache pic file now , but i found a > strange problem . > > When i access the pic url via firefox browser , i found the content > can't be cache .( http_port 8080 tproxy at bridge mode ) > > and some helpful info is ORIGINAL_DST/171.107.188.173 at access.log > ORIGINAL_DST means that interception is being used and that NAT system was used to find the server. > When i access the pic url via firefox wget , i found the content can be > cache . > > wget -e "http_proxy=http://localhost:8081"; -e robots=off > --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) > Gecko/2008092416 Firefox/3.0.3" -r -p -nd -np -H --level=2 --tries=1 > --limit-rate=500k > http://d.ifengimg.com/w670_h326/y2.ifengimg.com/a/2016_16/93353429f03c891_size198_w670_h326.jpg > ( http_port 8081 via bridge self-host ) > > and some helpful info is - HIER_DIRECT/222.84.188.200 > DIRECT means regular forward-proxy is happening, and that DNS system was used to find the server. > > if possible , please give me some advisement , thanks . > When NAT intercept or TPROXY are involved Squid has additional security checks that have to be applied. Host header verification / forgery detection is the most noticed one. If Squid determines that the client is in fact *not* going to the server mentioned in the Host header it will let the transaction happen to that ORIGINAL_DST but cannot cache it. Some things you can do to minimize the false verify results are detailed in <http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>. Due to how some popular CDN operate we cannot completely eliminate the false results, best we can do is let it through with disabled caching. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
