Stop squid caching 302 and 307 with deny_info

Posted by 0xception on Server Fault See other posts from Server Fault or by 0xception
Published on 2012-10-23T00:58:24Z Indexed on 2012/10/23 5:10 UTC
Read the original article Hit count: 497

Filed under:
|
|
|
|

TLDR: 302, 307 and Error pages are being cached. Need to force a refresh of the content.

Long version: I've setup a very minimal squid instance running on a gateway which shouldn't not cache ANYTHING but needs to be solely used as a domain based web filter. I'm using another application which redirects un-authenticated users to the proxy which then uses the deny_info option redirects any non-whitelisted request to the login page. After the user has authenticated the firewall rule gets placed so they no longer get sent to the proxy.

The problem is that when a user hits a website (xkcd.com) they are unauthenticated so they get redirected via the firewall:

iptables -A unknown-user -t nat -p tcp --dport 80 -j REDIRECT --to-port 39135

to the proxy at this point squid redirects the user to the login page using a 302 (i've also tried 307, and i've also make sure the headers are set to no-cache and/or no-store for Cache-Control and Pragma). Then when the user logs into the system they get firewall rule which no longer directs them to the squid proxy. But if they go to xkcd.com again they will have the original redirection page cached and will once again get the login page.

Any idea how to force these redirects to NOT be cached by the browser? Perhaps this is a problem w/ the browsers and not squid, but not sure how to get around it.

Full squid config below.

#                                                                               
# Recommended minimum configuration:                                            
#                                                                               
acl manager proto cache_object                                                  
acl localhost src 127.0.0.1/32 ::1                                              
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1                                 

acl localnet src 192.168.182.0/23   # RFC1918 possible internal network         
acl localnet src fc00::/7   # RFC 4193 local private network range              
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines   

acl https port 443                                                              
acl http port 80                                                                
acl CONNECT method CONNECT                                                                                                              

#                                                                               
# Disable Cache                                                                 
#                                                                               
cache deny all

via off
negative_ttl 0 seconds
refresh_all_ims on    
#error_default_language en

# Allow manager access only from localhost                                      
http_access allow manager localhost                                             
http_access deny manager                                                        

# Deny access to anything other then http                                       
http_access deny !http                                                          

# Deny CONNECT to other than secure SSL ports                                   
http_access deny CONNECT !https                                                 

visible_hostname gate.ovatn.net                                                 

# Disable memory pooling                                                        
memory_pools off                                                                

# Never use neigh cache objects for cgi-bin scripts                             
hierarchy_stoplist cgi-bin ? 

#
# URL rewrite Test Settings
#
#acl whitelist dstdomain "/etc/squid/domains-pre.lst"
#url_rewrite_program /usr/lib/squid/redirector
#url_rewrite_access allow !whitelist
#url_rewrite_children 5 startup=0 idle=1 concurrency=0
#http_access allow all

#
# Deny Info Error Test 
#
acl whitelist dstdomain "/etc/squid/domains-pre.lst"
deny_info http://login.domain.com/ whitelist
#deny_info ERR_ACCESS_DENIED whitelist
http_access deny !whitelist

http_access allow whitelist

http_port 39135 transparent

## Debug Values
access_log /var/log/squid/access-pre.log
cache_log /var/log/squid/cache-pre.log

# Production Values
#access_log /dev/null
#cache_log /dev/null

# Set PID file
pid_filename /var/run/gatekeeper-pre.pid

SOLUTION:

I believe I might have found a solution to this. After days and days trying to figure it out, only through a random stumble I found

client_persistent_connections off
server_persistent_connections off

This did the trick. So it wasn't so much cache as it was a single persistent connection messing things up. W000T!

© Server Fault or respective owner

Related posts about linux

Related posts about proxy