On 19/05/2016 2:21 a.m., Garri Djavadyan wrote: > On Thu, 2016-05-19 at 00:39 +1200, Amos Jeffries wrote: >> Using ignore-private and ignore-must-revalidate on the same >> refresh_pattern is *extremely* dangerous. Just asking to get your >> cache pwned. > > I'm also using the both options on the same refresh_pattern for several > years. Can you explain the consequences? I couldn't find enough > information in Squid's reference and RFC2616. Thanks in advance! > The 'private' cache-control is supposed to only be used when the response contains sensitive credentials or private data. ignore-private has a long history of causing (not allowing. *causing*) people to login to other peoples accounts on various services. One might have heard about the recent Steam account login having "an issue with our proxy settings". I'd bet a lot it was somebody turing on "ignore-private" or the equivalent in their systems. With the HTTP/1.1 changes I made it tell Squid to treat 'private' the same as 'must-revalidate', so that private stuff could still be forced to cache but much more safely. Ignoring both brings back all the security and privacy breach problems. One should not be afraid of revalidation. It is the backbone of most of the mechanisms that make HTTP/1.1 more performant than 1.0. So IMO, stay away from ignore-private like it was plague. If you really have a reason to use it. At least dont use ignore-revalidate on the same traffic. (I've similar advice for ignore-no-store. But at least no-store does not have the same security/privacy/credentials tie-in as private.) > >> Also ignore-auth makes things *not* be cacheable in all the auth >> related cases when it would normally be stored by Squid. > > I always thought that the purpose of the option is exact opposite. > Squid's reference any trivial test confirmed my thoughts. Sorry, but > maybe I understood the quote incorrectly? > It tells Squid to ignore the auth headers in a request. In HTTP/1.0 messages the presence of auth meant the object was non-cacheable due to sensitive credentials. So the control let people make that traffic cache. In HTTP/1.1 messages the presence of auth is often equivalent to must-revalidate. So ignoring the headers makes the alternative controls in the headers kick in and force non-caching. The opposite of what is usually intended. (FYI: both ignore-auth and ignore-must-revalidate are gone in Squid-4. For the above reasons.) Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
