Stop squid caching 302 and 307 with deny_info
Posted
by
0xception
on Server Fault
See other posts from Server Fault
or by 0xception
Published on 2012-10-23T00:58:24Z
Indexed on
2012/10/23
5:10 UTC
Read the original article
Hit count: 465
TLDR: 302, 307 and Error pages are being cached. Need to force a refresh of the content.
Long version: I've setup a very minimal squid instance running on a gateway which shouldn't not cache ANYTHING but needs to be solely used as a domain based web filter. I'm using another application which redirects un-authenticated users to the proxy which then uses the deny_info option redirects any non-whitelisted request to the login page. After the user has authenticated the firewall rule gets placed so they no longer get sent to the proxy.
The problem is that when a user hits a website (xkcd.com) they are unauthenticated so they get redirected via the firewall:
iptables -A unknown-user -t nat -p tcp --dport 80 -j REDIRECT --to-port 39135
to the proxy at this point squid redirects the user to the login page using a 302 (i've also tried 307, and i've also make sure the headers are set to no-cache and/or no-store for Cache-Control and Pragma). Then when the user logs into the system they get firewall rule which no longer directs them to the squid proxy. But if they go to xkcd.com again they will have the original redirection page cached and will once again get the login page.
Any idea how to force these redirects to NOT be cached by the browser? Perhaps this is a problem w/ the browsers and not squid, but not sure how to get around it.
Full squid config below.
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.182.0/23 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl https port 443
acl http port 80
acl CONNECT method CONNECT
#
# Disable Cache
#
cache deny all
via off
negative_ttl 0 seconds
refresh_all_ims on
#error_default_language en
# Allow manager access only from localhost
http_access allow manager localhost
http_access deny manager
# Deny access to anything other then http
http_access deny !http
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !https
visible_hostname gate.ovatn.net
# Disable memory pooling
memory_pools off
# Never use neigh cache objects for cgi-bin scripts
hierarchy_stoplist cgi-bin ?
#
# URL rewrite Test Settings
#
#acl whitelist dstdomain "/etc/squid/domains-pre.lst"
#url_rewrite_program /usr/lib/squid/redirector
#url_rewrite_access allow !whitelist
#url_rewrite_children 5 startup=0 idle=1 concurrency=0
#http_access allow all
#
# Deny Info Error Test
#
acl whitelist dstdomain "/etc/squid/domains-pre.lst"
deny_info http://login.domain.com/ whitelist
#deny_info ERR_ACCESS_DENIED whitelist
http_access deny !whitelist
http_access allow whitelist
http_port 39135 transparent
## Debug Values
access_log /var/log/squid/access-pre.log
cache_log /var/log/squid/cache-pre.log
# Production Values
#access_log /dev/null
#cache_log /dev/null
# Set PID file
pid_filename /var/run/gatekeeper-pre.pid
SOLUTION:
I believe I might have found a solution to this. After days and days trying to figure it out, only through a random stumble I found
client_persistent_connections off
server_persistent_connections off
This did the trick. So it wasn't so much cache as it was a single persistent connection messing things up. W000T!
© Server Fault or respective owner
