Re: [squid-users] ignore-auth when signature is passed as a query

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 23 Feb 2014 17:03:09 +1300

On 23/02/2014 4:19 p.m., Rajiv Desai wrote:
> Hi,
>
> I use ignore-auth for caching urls with signature and that works great.
> For some endpoints, signature is added as a query (which is otherwise
> an "Authorization" header). Is there a way to perhaps ignore-query?
>
> Currently, I see that replies are cached even when they have queries,
> however query is a part of the url and thereby a part of the key used
> for the object stored in cache.
> Due to this I don't get a cache hit for a subsequent GET request which
> has a different temporal signature.

Yes. These are different resources. At least that is what the URL says.
One different set of content for each auth'd users account ...

>
> I understand why the default behavior is to do what it does and the
> implications of unauthorized access without signature verification.
> However, for my use case bypassing signature verification with squid
> cache is useful and appropriate.
>
>
> Please let me know if there is a workaround with which all query
> parameters can be ignore for caching purpose.

In the latest Squid (3.4+) you can use a store-ID helper to de-duplicate
the URLs by having it tell Squid to use a URL without those parameters
as the cache key.
 However be VERY sure that this server is not changing any of the actual
object content per-user. Oterwise you could have users cache-busting
each others content and causing you even worse bandwidth waste than you
have already.

Amos
Received on Sun Feb 23 2014 - 04:03:21 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 23 2014 - 12:00:06 MST