Proxying HTTPS for an internal service

June 18, 2011 by

Since version 2.6 changed the way http_port worked and let Squid service multiple different types of traffic simultaneously people have been struggling with one setup which should to all outward appearances be quite simple.

I’m speaking of the scenario where you have a proxy serving as both a forward-proxy gateway for the internal LAN users and as a reverse-proxy gateway for some SSL secured internal services (an HTTPS internal site).

Both setups are essentially simple. For the reverse-proxy you setup an origin cache_peer with SSL certificate options. Perhapse an https_port to receive external traffic.  For the forward-proxy you setup users browsers to contact the proxy for their HTTP and HTTPS requests. Perhapse with NAT interception to force those who refuse.

They you discover that Squid can’t seem to relay requests from internal users to your internal peer. You get warnings about clientNegotiateSSL failing on plain HTTP requests. Even though it may appear the user was opening HTTPS properly to contact it.

The problem is that when relaying through a known proxy browser wrap their SSL request, inside a CONNECT tunnel setup request. Which is plain-text HTTP. Squid passes this intact on to any cache_peers you have configured. Even the origin one which is expecting SSL. It may do the right thing and wrap it in a second layer of SSL. But that just makes things worse as the server at the other end gets this weird CONNECT request it cant do anything with.

Until recently the only fix has been to setup a bypass so that internal LAN users don’t use the proxy when visiting the internal HTTPS site. Which works perfectly for user access. But does cause problems on the recording and accounting systems which now have to track two sets of logs and filter proxy relayed requests out of one.

Or alternatively to set the LAN DNS to point users at the reverse-proxy port and figure some way to avoid forwarding loops by bypassing Squid like above or disabling the loop detection.

Both alternatives having the same problems at best. Worst case in the second you have opened some security vulnerabilities by ignoring loops.

In Squid-3.1 we have trialled two possible ways to fix this whole situation.

The first attempt was to simply not relay CONNECT to peers with origin type configured. This failed with a few unwanted side effects. One was that Squid would lookup the DNS and go to that server. Fine for most, but not all Squid have split-DNS available. Or Squid could relay it to a non-origin peer instead. Possibly halfway round the world with worse lag effects than a little extra calculation handling the logs.

The second attempt, which we are currently running with in 3.1.12 and later. Is to strip the CONNECT header and connect the tunnel straight to the peer. But only when the peer port matches the intended destination of that tunnel, and your access controls permit it for selection.

  • The port restriction is there as a simple check that the service is likely to match protocols. Even if we cant be sure which.
  • Traffic to that internal service does go through the proxy and traffic accounting only has to handle the proxy logs.
  •  Requests from LAN clients use the clients SSL certificates instead of the cache_peer configured ones.

This last point is one which can bite or confuse. If you have LAN users in this type of scenario and require all contact with the internal service to use the proxy configured certificates you will still need to configure those clients with the old methods.

 

Enjoy. And as always, if you have better ideas or problems please let us know.

Squid Proxy Server 3.1: Beginner’s Guide

February 25, 2011 by

For those who have been waiting and asking there is now a beginners guide to Squid-3.1 available for sale from Packt Publishing. Authored by Kulbir Saini.

This book seeks to be an introductory guide to Squid and specifically to the features available in the Squid-3 series so far. It covers both the basics and tricky details admin need to be aware of and understand when working with Squid. From configuring access controls through deployment scenarios to managing and monitoring the proxy operation this book has it.

It does not seek to be an update to the O’Rielly book, so there are many fine details and advanced technical descriptions missing. Although even experienced Squid admin may find new topics and features mentioned here that they were unaware of.

Disabling Authentication

February 10, 2011 by

As you may know Squid proxy builds and runs in some pretty interesting places. Amongst these is the WRT operating system. Although admittedly getting Squid small and light enough to run there is a major miniaturization job all by itself and its size still prevents other deserving applications from being used.

One of the problems that keeps popping up in this miniaturization effort is the  –disable-auth option. One would naturally expect such an option to disable authentication in Squid. It does not. So far all it does is prevent the additional helpers being built, and that only in the 3.2 series.

This month my spare-time task has been to make that directive work. To actually omit from the Squid binary as much code as possible which processes and manipulates the authentication information.

So far progress is looking good, around 900KB of the default binary size is removed.  100KB or so of run-time footprint. There are some not so obvious side effects of removing authentication which I’m going to cover here.

These changes have already landed in 3.HEAD and will be present in the 3.2 betas shortly.

In the security industry there are three terms: identification (of who or what something is), authentication (that some identification is true and correct) and authorization (that someone or thing is allowed to perform an action). Almost all access through Squid has a number of features acting to test these in various combinations. Luckily most of it takes the form of simple identification and authorization.

Authentication and ACLs

Naturally this being the goal of the project.

–disable-auth removes auth_param directives and also all ACL types which process usernames. Other than the ident username ACL which does not involve actual authentication.

IDENT

This protocol is all about identification and authorization. No authentication involved. As such its use has not been impacted in any visible way in the current Squid. However I’m noting it here since another side project underway is unifying the username details together.

–disable-auth removes the shared username objects and may in future affect storage of IDENT results.

External ACLs

External ACL helpers are permitted to perform what is called side-band authentication and return to Squid the username and password for an authenticated user. Since this is a form of authentication it dumps results into the username structures at various points.

–disable-auth will disable and remove the storage of these usernames as a possibility. Effectively disabling this type of authentication despite any support which may remain in the helper.

FTP

FTP protocol requires authentication credentials to be passed to the FTP server. Squid has several ways of doing this. Anonymous credentials are set in squid.conf and tried first. The URL may be sent containing an unsecured username and password in clear text.

Alternatively recent versions of Squid will look for HTTP Basic authentication credentials to use. Lacking any working credentials Squid will normally now reply with an HTTP authentication request, resulting in the user being able to enter their FTP login into a popup box or browser password manager.

–disable-auth or even just –disable-auth-basic will now prevent the HTTP authentication method from working in Squids FTP gateway.

Cache Manager

Squids HTTP management interface used by cachemgr.cgi, squidclient and other tools to fetch reports and perform administrative actions relies on authentication for certain actions.

Despite the fancy action@password style its URLs use this is converted into a real HTTP login header by the tools. The management interface relies on this authentication for all actions marked as protected.

–disable-auth or even just –disable-auth-basic will now prevent the Squid cache manager interface from receiving these credentials. Effectively blocking all access to the protected actions.

Delay Pools

The fancy new delay pools in Squid-3 rely on user credentials for some of their bucket types. If one thinks about it closely it becomes clear that without any authentication such pools are useless.

–disable-auth will prevent the class 4 delay pool from being built and available.

Peering

The cache_peer login directive which may normally pass on credentials to a peer via HTTP authentication headers has a complex and mixed relationship with authentication.

–disable-auth prevents login= from generating any HTTP headers. Since the auth encoding is disabled. However the PASSTHRU will still work. PASS is reduced to an exact equivalent of PASSTHRU since it may not generate a header for external ACL authenticated users.

–disable-auth-basic prevents login=username:password from working since the basic authentication header creation is disabled. However the NEGOTIATE and PASSTHRU remain working. PASS is reduced to an equivalent for PASSTHRU since the external ACL authenticated users require Basic encoding.

–disable-auth-negotiate prevents login=NEGOTIATE working since the negotiate authentication header creation is disabled. However all the other forms still work.

Project Update: Bugs, bugs, betas and breakages

October 24, 2010 by

So much for a monthly update with hints and tips. Been a year and more! So I guess this post should start again by covering what has been going on over this past year. “Not much and far too much” just about covers it …

 

Bugs …

Business as usual has seen a steady parade of upgrades from earlier versions up to 3.0 and 3.1. Bringing with it a steady stream of bug reports for all sorts of varied things overlooked or not yet fixed. The increasing number of reports people are giving of old bugs that have annoyed them without being reported is pleasing in a way. I hope this means less overall and display stuff is relatively easy

Some people have had shocks; bugs reported over a year ago being fixed suddenly and some new reports not lasting the day. I can’t stress enough how important your help in researching the problems is.

The oldest bugs are simple “Squid is doing X”. Um, yeah well, we can assume what the expected behaviour was (sometimes). After prodding (a day or so later) up comes a version number and build options.

For example; I was looking at a typical old bug today. Still open from 2007 that never got any further than build options and behaviour description despite several requests for more info.  One day somebody is going to have to setup several machines build 3.0 a couple of times with multiple features on or off and try to replicate the described problem.  Then build 3.HEAD and try to replicate X all over again starting with the same tests. Then try to figure out how its happening and whether a fix might be possible.  Well, thanks for the report anyway, at least we know to watch for it meanwhile.

Every few months like today, I trawl through these, just over 100 bugs now, looking for ones which I could maybe replicate in less than a few days. Today I’m slightly happy. One died as invalid, and two died as no longer fixable. The whole area of code they might have been in is dead.

 

… bugs …

The shorted lived bugs by comparison, are reports that version a.b.c. is doing X when it should be doing Y. They include in the case of crashes and segmentation faults a backtrace of the code (with symbol names). They include header or packet traces if the problem was communicating to some other software. Some even came with information tracking down which feature and piece of the code was going wrong. Found, tracked, patched, tested, and fixed in the main code in mere hours of work.  A HUGE thank you to everyone who reports bugs like this.

 

… betas …

Squid-3.2 has started its beta releases this year. Following the fluffy “grand plan” of being a bit more predictable:  branch in Jun with monthly betas through until a stable series probably appears Dec or Jan.

The fluffy part is caused by some more structural cleanup projects we really really want to make the code easier to work with. Well, late Oct and about half of the cleanups have been done. The stable part is today looking more like next Jan/Feb provided the rest are done and working soon.

Another post closer to 3.2 stable release will cover whats going on there in the features. Some cool stuff. If you want a sneak preview the release notes are already available.

 

… and breakages.

Ah, well. Some may recall 3.1.5.1 and friends. The background there for the inquisitive is that two feature changes clashed head-on and killed stability for two months.

I have irregular but available contact with nine of the maintainers packaging Squid for popular systems. It started slowly, growing until half of them had informed me that important sections of their users were being hit by the lack of IPv6 split-stack support in 3.1.

It surprised me a bit how many people and what in situations are insisting that IPv6 be turned off, but only partially. This was a big problem for early 3.1 series since the build process actively probed IPv6 capabilities and turned various capabilities on or off inside Squid. So an essentially simple change was made, moving the active testing into Squid startup process. Squid builds with IPv6 anywhere and runs it when available. No such luck on simple, enter all the little quiet bits assuming IPv4-only or IPv6-only sockets.

The other feature change that made the recovery even messier was a version bump to libtool in our package bundling system. In short a very simple basic upgrade omission on our part broke the tarball package. A veritable storm of hacks appeared to work around the broken tarballs and extended the fix time as testers disappeared with “it works for me now” leaving the systemic problem unresolved.

3.1.8 finally got some pedantic methodical testing before release and a fix for both problems.

 

Background to all this drama we have had an increase in focus on HTTP/1.1 support over the year from The Measurement Factory. Many of the minor behaviour bug fixes made it into the 3.1 series and the last of the big changes being held back to 3.2.

Language Negotiation and the world-wide-Squid

September 30, 2009 by

From 3.1 Squid now supports Automatic Language Negotiation.  There seems to be a little bit of confusion over what this means and what should be configured.

Obviously we would like people to enable and use the automatics. For some very good reasons which you shall understand at the end of this post. I would hope you agree by then too.

Most software you and the rest of the world will be familiar with comes in two  forms: English, or translated into your own language. You might have your computer set to  non-English language and all the software that can changes text so you can more easily read it.

All of this is very you-centric and only affects whatever machine you are using. The www is a very different beast altogether. It has to deal with everyone. At the same time too.

The best example is search engine results. You may have noticed when you do a search that some results have little tags. cached, similar pages, more, … and sometimes one called ‘translate’.  This is nice, because it means the search engine has noticed that the page is in a language you may not know and its offering a link that will translate the page to one you can read.

Ever wondered ‘how does it know’? and more importantly;  what does all this have to do with Squid?

Lets start with the second one:  What does this have to do with Squid?  well Squid. The one I run, the one you probably run, and many others around the world generate error pages.  You are sure to have seen the “404 Not Found” at some point. Probably “Access Denied” and “Connection Failed” as well.

Until now Squid has been setup and managed by someone for a specific purpose. That person sets the language those pages are displaying to something they can read and see what problems are. And here is where the confusion seems to start.

One admin who setup the new Squid promptly changed the error_directory language to German (de). Quite rightly he thought. I’m German, my customers are German, who needs any other languages installed? It will only confuse me to see other language errors. And the server is set to German so it won’t show any others anyway.

At this point I’m guessing you might agree with some or all of that assumption. For your language in the same situation, you would probably do the same yes?

Lets take a look at that search engine question. We found a website. It is written strangely in Persian. We do not have a clue whats its about. Clicking on the ‘translate’ link and we read the page.

But wait, …

… we only saw one single ‘translate’ link and surely the engine knows many languages. We should see a whole bunch, one for every language the page might be translated into.

This is where we get closer to Squid again. The HTTP protocol has a header where the browser says what languages its current user would like things displayed in. The search engine is reading that header and only showing the translate link for most prefered language it can cope with.

This is precisely what Squid now does for the error pages it creates. The language displayed depends on the visitor doing the reading when the automatics are allowed to run.  The server Squid runs on has nothing to do with the language.

Our German admin if you recall set the error_directory to German so he could read it.

Too bad for us if you or I non-German readers had a problem getting to one of his customers websites. Or if we were visiting one of his customers and using their Internet access from our laptop.

What he should have done was leave error_directory unset. When he visits the proxy to test a problem it shows german language, because has browser says to. The user who reported the problem might be reading the same message in Chinese, or Korean.

Squid provides error pages for two reasons, to explain whats gone wrong, and to explain to someone what to do about the problem.  In this world of many international people your visitors and users could be coming from any kind of background with any kind of language needs. To help reduce the number of strange language half-understood complaints we all receive the Squid team have made Squid explain things in a language the visitor can read, so you don’t have to. All you have to do is turn it on.

http://wiki.squid-cache.org/Translations#What_has_been_done.3F

Squid now speaks in over 130 national languages and dialects. 100 more than this same time just last year. Some are more complete than others, improving all the time.

Kia Ora koe.

Continuous Integration

August 18, 2009 by

For the last few years there has been a slow growing improvement to the testing and QA Squid is subject to. This last week has seen the construction and rollout  of a full-scale build farm to replace some of our simple internal testing. Robert Collins covers the growth process in his blog.

Here is the initial release notice:

Hi, a few of us dev’s have been working on getting a build-test environment up and running. We’re still doing fine tuning on it but the basic facility is working.

We’d love it if users of squid, both individuals and corporates, would consider contributing a test machine to the buildfarm.

The build farm is at http://build.squid-cache.org/ with docs about it at http://wiki.squid-cache.org/BuildFarm.

What we’d like is to have enough machines that are available to run test builds, that we can avoid having last-minute scrambles to fix things at releases.

If you have some spare bandwidth and CPU cycles you can easily volunteer.

We don’t need test slaves to be on all the time – if they aren’t on they won’t run tests, but they will when the come on. We’d prefer machines that are always on over some-times on.

We only do test builds on volunteer machines after a ‘master’ job has passed on the main server. This avoids using resources up when something is clearly busted in the main source code.

Each version of squid we test takes about 150MB on disk when idle, and when a test is going on up to twice that (because of the build test scripts).

We currently test:

  • 2.HEAD
  • 3.0
  • 3.1
  • 3.HEAD

I suspect we’ll add 2.7 to that list. So I guess we’ll use abut 750MB of disk if a given slave is testing all those versions.

Hudson, our build test software, can balance out the machines though – if we have two identical platforms they will each get some of the builds to test.

So, if your favorite operating system is not currently represented in the build farm, please let us know – drop a mail here or to noc @ squid-cache.org – we’ll be delighted to hear from you, and it will help ensure that squid is building well on your OS!

-Rob

That just about covers everything. Hardware and build software requirements are listed in the build farm page.

Hi, a few of us dev's have been working on getting a build-test
environment up and running. We're still doing fine tuning on it but the
basic facility is working.

We'd love it if users of squid, both individuals and corporates, would
consider contributing a test machine to the buildfarm.

The build farm is at http://build.squid-cache.org/ with docs about it at
http://wiki.squid-cache.org/BuildFarm.

What we'd like is to have enough machines that are available to run test
builds, that we can avoid having last-minute scrambles to fix things at
releases.

If you have some spare bandwidth and CPU cycles you can easily
volunteer. 

We don't need test slaves to be on all the time - if they aren't on they
won't run tests, but they will when the come on. We'd prefer machines
that are always on over some-times on.

We only do test builds on volunteer machines after a 'master' job has
passed on the main server. This avoids using resources up when something
is clearly busted in the main source code.

Each version of squid we test takes about 150MB on disk when idle, and
when a test is going on up to twice that (because of the build test
scripts).

We currently test
2.HEAD
3.0
3.1
3.HEAD

and I suspect we'll add 2.7 to that list. So I guess we'll use abut
750MB of disk if a given slave is testing all those versions.

Hudson, our build test software, can balance out the machines though -
if we have two identical platforms they will each get some of the builds
to test.

So, if your favorite operating system is not currently represented in
the build farm, please let us know - drop a mail here or to noc @
squid-cache.org - we'll be delighted to hear from you, and it will help
ensure that squid is building well on your OS!

-Rob

Life of a Beta

July 11, 2009 by

From early inception when the developers have nothing but dreams for it.  Through the coding and arguments about what should be included and how. Through the alpha testing with its harrowing hours pondering obscure code from last decade. Even the odd period of panic as security bugs are whispered about behind closed doors. Such is the early life of software.

Two weeks ago word went out that 3.1 was reaching end-game.

This part of the release lifecycle seems to be going well. Packages appearing very slowly as QA throws demanding eyes on the code and making us actually fix things. Don’t be fooled by the packages out already, they have been in QA for a few months to get this far. On that note:

NetBSD, Gentoo, Ubuntu, FreeBSD and RedHat already have packages ready and available for at least testing use if you know where to look (ie the links right there might be a good start).

Debian has a bit more QA to go as of the writing, but the maintainer tells me there will be packages out soon.

OpenBSD and Mac turned out at the last minute to be running split-stack IPv6 implementations (for security apparently). All the documentation read in two years left the impression it was a Windows XP anarchism (and who runs XP Pro on a server?), so support was delayed and delayed.  The OpenBSD maintainer and someone interested from Mac are working with myself on closing that gap in the features.

There may be more OS with 3.1 packages. I’ve only begun working my way down the distrowatch.org popularity list to see which OS do and who to contact. Squid has bundles on over 600 OS apparently.

If you know who does the official packaging for your OS and whether there are 3.1 packages ready, please do me a favor and mention it. I’m seeking a web page where to find the squid (or squid3/squid30/squid31) package information and also the place where distro bug reports about Squid might end up.

What is holding 3.1 back?

March 17, 2009 by

One of the major changes we made to 3.1 during its life cycle was the introduction of first-past-the-post feature additions instead of pre-planned and sealed roadmaps. Combined with a regular short release timeline instead of indeterminate long testing periods.

So why has 3.1 taken more beta releases than 3.0?

Unfortunately before that policy was implemented we did go down the old track a fair way and guaranteed that several features would make it into 3.1.  One of these (SourceLayout) has proven to be a lot of slow work. (Not major re-writing thankfully).

The other new features code for 3.1 have been tested and stabilized between 3.1.0.1 and 3.1.0.6 and are happily in use on many production environments.  But this last remaining feature still has a lot to go in and be tested for bugs. The result is 6 months delay on 3.1 and a handful of extra candidate releases, even some blockage of new stuff ready to go into 3.HEAD for the next release.

3.2 is starting off without this old legacy blocking problem, so it should be the first release to really gain the benefit of a much faster testing and release stages of production.

There are also a bunch of bugs which seem to be important but we are unable to track down and fix yet. Mostly holdovers from 3.0. The basic policy is to block release until all open bugs major or higher are closed. We might downgrade bugs to normal though if they are voted to be ignored.

While we wait for the last feature to stabilize some of us still try to work away at that list, additional volunteers are very welcome to speed things up.  Meanwhile I would like some opinions please about the final stage for 3.1:

Release 3.1

November 4, 2008 by

Kinkie pointed out Linus Torvalds blog today to the rest of us here working on Squid. As the release maintainer for Squid-3 this year I kind of agree, its a sad time to cutting a new version. For me its more of a reflection that for all the high hopes we have of this new release, we had the same or similar hopes of the earlier one. Just 12 months ago now.

On that sad note, yes its finally happened. 3.0 has aged into a full blown stable package. Most of a month and no new bugs. Perfect time for something shiny and new for the neo-tech fanclub. And so with that for an intro we are gone for 3.1 !

3.1 is available for beta testing in the form of 3.1.0.1. see the Release Notes for further details on the finer details of change.

This release has gained from the experiences of 3.0 and 2.6, starting from a much more stable base of code than the initial. 3.0 had a long period of years with few active developers, an interminably long period of testing releases, and in hindsight a premature birth.

Alongside the code this release has a wider collaboration with active users. For the first time in many years we held a Developer meeting that included Users. We who were there certainly took in a lot of feedback from all sides. I hope those users who talked to us can see in this release that their comments, even those made in passing, have been listened to and worked on.

The small comment from one user when asked what their biggest itch with squid was “we don’t like these being called STABLE, when its obvious they are not.” has led to the most notable change made to 3.1.  That comment and similar feelings by others lead us into discussions on the release naming and numbering. From which we have produced – 3.1.0.1 – the second milestone point of the branch we are calling 3.1. Where the developers have everything done and working for us.

no more DEVEL, PRE, or RC, no more premature labels guessing when things might be STABLE.  Just 3.1.0.1. Further testing from the rest of you will show whether anyone can consider it stable, unstable, usable or as buggy as raw earth.

From the developers; We use it. We love it. Try it, and see for yourselves.

Some of the stuff you will find there is;

  • a lot of small changes aimed towards easier use and configuration (three cheers to those who nagged long an hard for this).
  • a lot of network RFC compliance extensions, making 3.1 much more capable of meeting modern network needs. The future still holds improvements, but 3.1 is definitely better in many respects than everything that came before.
  • a lot of things to make Squid a better experience for your own users. More seamless network recovery tricks than ever before. We have even tagged along behind the international localization bandwagon in our own way to make the errors squid does have to show both pretty and readable.

Sadly, careful readers will notice a section of the Release Notes labeled “Regressions against 2.7″.  Yes, those of you who moved to 2.7 because you needed some brand new feature there may still have trouble migrating up to 3.1. What we have done is to port as many of the 2.6 features and fixes as we could. A few did not make it in time, but will be coming in 3.2, alongside the features added as experimental in 2.7.

On the overview:

  • 2.5 has disappeared over the horizon into the long dark night of obsoletion.
  • 2.6 is itself officially aging out now. Supported, but the developer first response is “can you try something newer?”.
  • 2.7 is being maintained for the few extremely high-performance accelerator setups. But in general the Squid-2 sequence is aging out for us developers.
  • 3.0 has reached a point of stability, though not fully-featured.
  • 3.1 is available for testing as the next step up. You should be planning to migrate up to 3.1 or later release.

If there are any features holding you to Squid-2, or even an issues you find with testing Squid-3 speak up, we rely on your input to choose the most needed features for porting.

Thank you all, and enjoy your use of Squid 3.1

Chunked Decoding

April 29, 2008 by

We have been getting a growing number of reports and bugs from people using Squid 3.0 described as ‘squid producing a blank page’ when bypassing squid apparently works.

Sounds familiar to some yes? I’m bringing it up now because while it is an old problem, its not the TCP issues Adrian wrote about earlier and you should also check if you find its not this. Which incidentally can have exactly the same visible effects for end-users.

This ‘new’ issue is caused by certain widely-used web servers which shall remain nameless and unadvertised by me. Which always respond with HTTP/1.1 chunked-encoding of pages.

Servers are explicitly forbidden from sending that particular encoding type to software announcing itself as HTTP/1.0 (such as squid). But the broken server is doing it anyway!

Ironically: The authors use this server on their own help and support website. So those who are having this problem both see it as a squid problem, and can’t find or see any solution they may have posted anyway.

How to tell if this is your problem?

Use squidclient to make a web request that bypasses the squid proxy. It should send out the HTTP/1.0 request and get a page back. If the headers of the response include “Transfer-Encoding: chunked” there is your problem.

This is currently only an issue in Squid 2.5 or earlier and 3.0, which is still highly modeled around 2.5.

The solutions are varied depending on your capabilities.

Simplest for some will be to just bypass squid for those domains.

[ UPDATE: (thanks Michael Graham)

Apparently several people are having success with simply dropping the Accept-Encoding header to certain of these broken servers. Adding this to their squid.conf :

# Fix broken sites by removing Accept-Encoding header
acl broken dstdomain …
request_header_access Accept-Encoding deny broken

NP: don’t forget to remove it again when you upgrade out of 3.0

]

Next best is to use peer-routing to divert those domain requests at a squid 2.6 (or if you are feeling experimental a 3.1 build)

If its a serious issue and you are accelerating for one of these broken web servers. Then you will need to stick with Squid 2.6 until 3.1 is available for production use.

Why does it work for 2.6 and 3.1 but not 3.0?

Well, things are a bit messy I’ll have to write it up one day. Suffice to say that 3.1 has a lot more HTTP/1.1 support where the chunked-encoding/decoding was intended for. But 2.6 needed it a bit earlier so a version of the decoding (only!) was done to fit 2.6 needs at solving this same issue for high-performance users earlier last year.

The 3.0 code is just different enough that it would need a whole new back-port project to get it going well. The time and work that would take is being used instead to get 3.1 out faster. Which should be within a month of this writing so procrastinating could solve the problem for you.

[UPDATE: Thanks to the Gentoo Project for their work back-porting this will be available from 3.0.STABLE16-RC1 ]


Follow

Get every new post delivered to your Inbox.

Join 32 other followers