So, if my traffic are more https than http there's no need to use squid. Man, most of sites are https, what's the purpose of using squid?
2015-09-24 16:13 GMT-03:00 Yuri Voinov <yvoi...@gmail.com>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > First. This is potentially dangerous. Can you guarantee your proxy never > has physical/network access by intruders? HTTPS can contain sensitive data. > You really sure you want problems with users? AS a minimum you need protect > your proxy at level B2 (by Orange Book). > > Second. Yes, it dangerous, but possible with SSL Bump. With very agressive > cache parameters and with conjunction previous sentence. So, this is > dangerous for many sites - for it's functionality and security, in general. > > You still sure you want to do this? > > 24.09.15 20:46, Jorgeley Junior пишет: > > Can we do that to cache https? > > http_port 3128 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/monkey.pem > > > > 2015-09-24 11:24 GMT-03:00 Jorgeley Junior <jorge...@gmail.com> > <jorge...@gmail.com>: > > > >> Is it not possible to cache the https due the encryption? > >> > >> 2015-09-18 9:44 GMT-03:00 Antony Stone > <antony.st...@squid.open.source.it> <antony.st...@squid.open.source.it> > >> : > >> > >>> On Friday 18 September 2015 at 14:27:42, Jorgeley Junior wrote: > >>> > >>>> there is a way to improve it? > >>> > >>> Improve what? The percentage of your traffic which is cached, or the > >>> accuracy > >>> of the information reported by your monitoring system? > >>> > >>> > >>> If you want to cache more content: > >>> > >>> 1. Make sure the sites being visited have available content (note that > >>> 12.6% > >>> of your requests resulted in the remote server saying some variation on > >>> "nothing available"). > >>> > >>> 2. Ignore things which are meaningless - such as the 27% of your > requests > >>> which resulted in 407 Authentication Required - that tells you nothing > >>> about > >>> whether the user then successfully authenticated and got what they > >>> wanted, or > >>> didn't, but either way it's a standard response from the server which > >>> tells > >>> you nothing about the effectiveness of your cache. > >>> > >>> 3. Make sure your traffic is HTTP instead of HTTPS. > >>> > >>> 4. Make sure your users are visiting the same sites repeatedly so that > >>> content > >>> which gets cached gets re-used. > >>> > >>> 5. Make sure the sites they're visiting are not setting "don't cache" > or > >>> "already expired" headers (such as is common for news sites, for > example) > >>> so > >>> that the content is cacheable. > >>> > >>> 6. Run your cache for long enough that it's likely to have a > >>> representative > >>> proportion of what the users are asking for when you start measuring > its > >>> effectiveness - if you start from an empty cache and pass requests > >>> through it, > >>> it's going to take some time for the content to build up so that you > see > >>> some > >>> hits. > >>> > >>> > >>> If you want to improve the information you're getting from the > monitoring > >>> system, make sure it's telling you how much was cached as a proportion > of > >>> requests which could have been cached - in other words, leave out HTTPS > >>> (36%) > >>> and 407 Auth Required (27%), plus anything where the remote server had > >>> nothing > >>> to provide (13%), and requests where the user's browser already had a > >>> cached > >>> copy and didn't to request an update (4%). > >>> > >>> That throws out 80% of your current statistics, so you concentrate on > the > >>> data > >>> about connections Squid *could* have helped with. > >>> > >>>> 2015-09-18 8:25 GMT-03:00 Antony Stone: > >>>>> On Friday 18 September 2015 at 13:13:27, Jorgeley Junior wrote: > >>>>>> hey guys, forgot-me? :( > >>>>> > >>>>> Surely you can see for yourself how many connections you've had of > >>>>> different types? Here are the most common (all those over 100 > >>> instances) > >>>>> from your list of 5240 results > >>>>> > >>>>>>> 290 TAG_NONE/503 > >>>>>>> 368 TCP_DENIED/403 > >>>>>>> 1421 TCP_DENIED/407 > >>>>>>> 680 TCP_MISS/200 > >>>>>>> 192 TCP_REFRESH_UNMODIFIED/304 > >>>>>>> 1896 TCP_TUNNEL/200 > >>>>> > >>>>> So: > >>>>> > >>>>> 290 (5.5%) got a 503 result (service unavailable) > >>>>> 368 (7%) were denied by the remote server with code 403 (forbidden) > >>>>> 1421 (27%) were deined by the remote server with code 407 (auth > >>> required) > >>>>> 680 (13%) were successfully retreived from the remote servers but > were > >>>>> not previously in your cache > >>>>> 192 (3.6%) were already cached by your browser and didn't need to be > >>>>> retreived > >>>>> 1896 (36%) were successful HTTPS tunneled connections, simply being > >>>>> forwarded > >>>>> by the proxy > >>>>> > >>>>> This accounts for 4847 (92.5%) of your 5240 results. > >>>>> > >>>>> As you can see, just measuring HIT and MISS is not the whole picture. > >>>>> > >>>>> > >>>>> Hope that helps, > >>>>> > >>>>> > >>>>> Antony. > >>> > >>> -- > >>> "The problem with television is that the people must sit and keep their > >>> eyes > >>> glued on a screen; the average American family hasn't time for it." > >>> > >>> - New York Times, following a demonstration at the 1939 World's Fair. > >>> > >>> Please reply to the > >>> list; > >>> please *don't* > >>> CC me. > >>> _______________________________________________ > >>> squid-users mailing list > >>> squid-users@lists.squid-cache.org > >>> http://lists.squid-cache.org/listinfo/squid-users > >>> > >> > >> > >> > >> -- > >> > >> > >> > > > > > > -- > > > > > > > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWBEtiAAoJENNXIZxhPexGHWgH/Rr0iGPCyTy7R5UYI/8PSvQO > 5oSWO3Oyr+MVQaGUecLq01CoyRlw1t5IRPoVnL8k/39xp0g2QlmLcWi50UjKexXr > +aOYdi2wvoFyYLISR9Dx0t64RqYYzACzmYS4hSo1yPTZ25jb3AcNGpU5D3nbQmty > Uuqomj98yo8Owz6tHnz/uEaU5AS/w4Wec+b/om3LhyiagQWa21ub42x2rqRzwNk4 > pLCrtDYGFC9Vn9VMmZCZygw7/c+1CSMPW4qDkxc6GiM55EDataPtJ7uTNL2XOMwZ > 9Ys1XtIuvGuMpXU2CYUiWVP4KiL3WDWPfzSqPhmrrt/laVuNNM1aOUuSNLx4oGU= > =g2rO > -----END PGP SIGNATURE----- > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > --
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
