Re: [squid-users] FW: squid 3.3.10 always gives TCP_MISS for SSL requests

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 26 Aug 2014 16:13:54 +1200

On 26/08/2014 3:29 p.m., Lawrence Pingree wrote:
> I'm not sure if this is right or not, but wouldn't your refresh patterns
> need to have the "ignore-private" to cache ssl? Amos may know better, but I
> don't see that option specified in your "All Files" refresh_patterns.

HTTPS is not particularly private in the HTTP sense. It is just regular
HTTP traffic wrapped in underlying transport security encryption. It
does have a security scope difference from HTTP as to though due to that
encryption.

That scope difference is handled by the URL scheme portion. For example
Squid must not and will not HIT on a http:// URL in cache for https://
request of otherwise identical URL, and vice versa.

From the administrative viewpoint there is a higher risk with HTTPS of
application designers breaking things and making vulnerable software
simply by not understanding the above. There is high pressure to get
privacy protection right with "insecure" http:// but weak for "secure"
https:// on things like OAuth traffic and eCommerce checkout pages where
they should have sent Cache-Control:private or no-store regardless.

Amos
Received on Tue Aug 26 2014 - 04:14:09 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 26 2014 - 12:00:09 MDT