On Thu, 2016-05-19 at 05:27 +1200, Amos Jeffries wrote: > On 19/05/2016 2:21 a.m., Garri Djavadyan wrote: > > > > On Thu, 2016-05-19 at 00:39 +1200, Amos Jeffries wrote: > > > > > > Using ignore-private and ignore-must-revalidate on the same > > > refresh_pattern is *extremely* dangerous. Just asking to get your > > > cache pwned. > > I'm also using the both options on the same refresh_pattern for > > several > > years. Can you explain the consequences? I couldn't find enough > > information in Squid's reference and RFC2616. Thanks in advance! > > > The 'private' cache-control is supposed to only be used when the > response contains sensitive credentials or private data. > > ignore-private has a long history of causing (not allowing. > *causing*) > people to login to other peoples accounts on various services. One > might > have heard about the recent Steam account login having "an issue with > our proxy settings". I'd bet a lot it was somebody turing on > "ignore-private" or the equivalent in their systems. > > With the HTTP/1.1 changes I made it tell Squid to treat 'private' the > same as 'must-revalidate', so that private stuff could still be > forced > to cache but much more safely. > > Ignoring both brings back all the security and privacy breach > problems. > > One should not be afraid of revalidation. It is the backbone of most > of > the mechanisms that make HTTP/1.1 more performant than 1.0. > > So IMO, stay away from ignore-private like it was plague. If you > really > have a reason to use it. At least dont use ignore-revalidate on the > same > traffic. > > (I've similar advice for ignore-no-store. But at least no-store does > not > have the same security/privacy/credentials tie-in as private.) > > > > > > > > > > > Also ignore-auth makes things *not* be cacheable in all the auth > > > related cases when it would normally be stored by Squid. > > I always thought that the purpose of the option is exact opposite. > > Squid's reference any trivial test confirmed my thoughts. Sorry, > > but > > maybe I understood the quote incorrectly? > > > It tells Squid to ignore the auth headers in a request. > > In HTTP/1.0 messages the presence of auth meant the object was > non-cacheable due to sensitive credentials. So the control let people > make that traffic cache. > > In HTTP/1.1 messages the presence of auth is often equivalent to > must-revalidate. So ignoring the headers makes the alternative > controls > in the headers kick in and force non-caching. The opposite of what is > usually intended. > > > (FYI: both ignore-auth and ignore-must-revalidate are gone in Squid- > 4. > For the above reasons.) > > Amos Amos, thank you very much for the clarification! _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
