On 24/10/2016 6:28 a.m., garryd@xxxxxxxxx wrote: > On 2016-10-23 18:31, Amos Jeffries wrote: >> On 23/10/2016 2:32 a.m., garryd wrote: >>> Since I started use Squid, it's configuration always RFC compliant by >>> default, _but_ there were always knobs for users to make it HTTP >>> violent. It was in hands of users to decide how to handle a web >>> resource. Now it is not always possible, and the topic is an evidence. >>> For example, in terms of this topic, users can't violate this RFC >>> statement [1]: >>> >>> A Vary field value of "*" signals that anything about the request >>> might play a role in selecting the response representation, possibly >>> including elements outside the message syntax (e.g., the client's >>> network address). A recipient will not be able to determine whether >>> this response is appropriate for a later request without forwarding >>> the request to the origin server. A proxy MUST NOT generate a Vary >>> field with a "*" value. >>> >>> [1] https://tools.ietf.org/html/rfc7231#section-7.1.4 >> >> >> Please name the option in any version of Squid which allowed Squid to >> cache those "Vary: *" responses. >> >> No such option ever existed. For the 20+ years Vary has existed Squid >> has behaved in the same way it does today. For all that time you did not >> notice these responses. > > You are absolutely right, but there were not such abuse vector in the > past (at least in my practice). There were tools provided by devs to > admins to protect against trending abuse cases. What trend? There is exactly one mentioned URL that I'm aware of, the Chrome browser download URL. I've posted two reasons why Chrome uses the Vary:* header. Just opinions of mine, but formed after actual discussions with the Chrome developers some years back. [I very much dislike writing this. But you seem to have been sucked in and deserve to know the history.] All the fuss that is going on AFAICS was started by Yuri. His comment history here and in bugzilla, and in private responses range from non-compromising "cache everything no matter what - do what I say, now!" (repeatedy in unrelated bugzilla reports), "f*ck the RFCs and anyone following them, just store everything I dont care about what happens" (this mornings post), to personal attacks against anyone who mentions the previous stance might have problems (all the "Squid developers believe/say/..." comments - none of which match what the team we have actually said to him or believe). There is one other email address which changes its name occasionally and posts almost exactly the same words as Yuri's. So it looks to me as Yuri and some sock puppets performing a campaign to spread lies and FUD about Squid and hurt the people doing work on it. Not exactly a good way to get people to do things for free. But it seems to have worked on getting you and a few others now doing the coding part for him at no cost, and I have now wasted time responding to you and thinking of a solution for it that might get accepted for merge. This particular topic is not the first to have such behaviour by Yuri. There have been other things where someone made a mistake (overlooked something) and all hell full of insults broke loose at them. And several other cases where missing features in Squid did not get instant obedience to quite blunt and insulting demands. Followed by weeks of insults until the bug was fixed by other people - then suddenly polite Yuri comes back overnight. As a developer, I personally decided not to write the requested code. Not in the way demanded. This seems to have upset Yuri who has taken to insulting me and the rest of the dev team as a whole. I'm not sure if he is trolling to intentionally cause the above mentioned effects, or really in need of medical assistance to deal with work related stress. [/history] > So, the question arised, > what changed in Squid development policy? In policy: Nothing I'm aware of in the past 10 years. What changed on the Internet? a new bunch of RFCs came out, the server and clients Squid talks to all got updated to follow those documents more closely. What changed in Squid? the dev team have been slowly adding the new abilities to Squid. One by one, its only ~90% (maybe less) compliant withe the MUST conditions, not even close to that on the SHOULDs, MAYs, and implied processing abilities. What do you think should happen to Squid when all the software it talks to speaks and expects what the RFCs say they should expect from recipients/Squid ? Consider the extreme this leads towards: You could easily write a piece of software that took HTTP requests and sent back random data that looked vaguely like HTTP responses. But how useless that is when used as a proxy. So much for ignoring the HTTP specs. > Why there is no configuration > option like 'ignore_vary [acl]', so highly demanded by many users in the > list? AFAIK nobody has ever even proposed adding one until these past few weeks. A proposals to ignore "Vary: *" has come up every few years, but when the proposer was made aware of the server expectations as stated in the RFC 2616 they went away, no attempt to go any further. So I assume that means it wasn't really a problem for them, not a serious one. In RFC 2616 (or older) compliant web there is no benefit to caching these objects. The revalidate clause did not exist so the server can be expected to always produce a new one. So what is gained by caching it? a waste of space other HIT's could have used better. Negative benefits really, not even zero gain. The middle sentence of that part of RFC 7231 has only existed for the past few years. Even I had overlooked it until today. Sorry, but I have been concentrating on getting Cache-Control going properly (no-cache and side effects are still a hot topic 4 years after it went in). Vary is much broken in other serious ways, '*' storage seems a minor issue to me. Also be aware that Squid is still in the process of moving from HTTP/1.0 behaviour to HTTP/1.1 revalidation. We (Eduard, Alex and myself) have not magically made everything work perfectly in one release. This is one of probably many cases where revalidation is potentially usable - just that nobody has coded it yet. Or cases which were previously forbidden and HTTPbis discussions (recent 7-ish years) shown that other vendors are widely okay with it so its been allowed now by the 723x RFC series. As maintainer its my responsibility to point out the issues to anyone even proposing a violation gets added. To make sure they are aware of the expectations the servers and clients may have of Squid. All violation proposals get the same treatment (heck all patches get this same treatment too, I'm just a little more lenient on compliance increasing patches): - make the proposer aware of the problems they will cause, ** my posts in reply to this and other threads. - mention any alternatives (where available), ** others have mentioned eCAP/ICAP as better suited to such violations. That is exactly what those interfaces are designed for. ** re-reading the section you quoted above, the middle sentence adds a possibility I overlooked earlier. You now have a potential direction to go without even doing any violation. The audit process shows its worth right there :-). - and let them decide if it is worth the trouble to go forward. ** so far mostly whats happened is a lot of complaints that "Squid dev team" are not providing things for free, on demand, to service a very abusive and extremist person. Or just outright abuse. Seems like the individual who started the discussions does not care about getting it to happen. You care more, and as you say below ... > Personally, I'm no affected by the Vary abuse, but I suppose there > will be increasing number of abuse cases in the future. Me neither (for seeing the problem in my sysadmin roles), so for both of us and many others it seems (to me) not to be a major problem. Or at least not worth facing the consequences the proposed change risks causing. We can guess at what the future holds. But until we get there we really dont know. My view of things includes years of app developer queries sent to the IETF HTTPbis WG. There is an increasing number of applications that *need* proxies to follow the spec requirements. I am not seeing them much in the wild yet, but those applications are definitely around and breaking them could lead people to a lot of trouble. FWIW: The current spec for HTTP/1.1 is extremely tollerant. There are a very few places where it comes to an absolute inviolate rule. Those are cases which have very clear use-case mentioned in the spec and problems being avoided mentioned as well. For example the quoted section above about Vary. I overlooked that middle sentance that has been added since 2616. That creates the leeway we need to cache the object within compliance. We are thusly allowed to treat "Vary:*" as another of the must-revalidate caching cases, just like Cc:private or Authenticated responses. (From the use-cases that have been mentioned in IETF WG about this header, and cases people have been advised to use it I very much doubt any server will respond with 304 to such revalidation. But we might get lucky, or future servers might do so.) NP: all previous discussions and proposals of Vary:* handling came up when 2616 was the spec to follow, and Squid did not do 1.1 much anyway - so using revalidation was not even on the horizon so to speak. Anyhow, back to me rant ;-P The current specs were written by representatives standing for *all* the major browsers, *all* the major web servers, *all* the major language/library frameworks, almost all the major command-line tools, and many application developers as well. So it is not written in isolation by some few "ivory tower types" Yuri would have you believe (yes some specs are - HTTP is not, or at least those types are outnumbered for HTTP). The RFC 723x set is explicitly a collection of details about how the current HTTP applications actually found around the world *do* talk to each other today and how best to exchange messages so the processing operations are understood at both ends of the network connection. The HTTP RFC's are effectively a description of current best practice. Violating is only useful if you are fixing some broken application your particular proxy has to deal with. All other cases are just causing inefficiency and varying amounts of nasty depending on the violation. This latter point is part of why we require a clear use-case before accepting violation patches - the need for it should be well thought out. People who choose to violate that type of spec without a good reason are just being stupid. The three persons (well, 2 use aliased email addresses - I suspect are actually one or two persons from the same region of the world) providing the most noise about Vary keep demanding it be provided for free. > One of your > answers confirmed my assumption regarding the question: > >> - there is a very high risk of copy-and-paste sysadmin spreading the >> problems without realising what they are doing. Particularly since those >> proposing it are so vocal about how great it *seems* for them. > When someone else does the coding I act as both auditor and maintainer. The policies checked during audit do not go into good/bad judgements - just: code style, quality (no identifiable bugs) and a clear statement of the need behind the addition (for the merge repo comment to guide future maintenance of that code). As maintainer I merge patches myself only if I'm happy to take on code maintenance for them, or supplier explicitly takes it on themselves (ie helper authors). Sometimes I get patches up to scratch in audit then let others merge, or advise they just be used as custom patches. In the latter case we at least know that patch is not full of obvious bug behaviours. But note so far *nobody* has submitted patches to audit about this. It has all just been a rather heated discussion in various unrelated bug reports and some threads in this users list. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users