i am currently using this setup on my squid 3.5.28 version for https
filtering using ssl certificate
its caching http and https (some specific extensions) on facebook i can
aldo when i press play to play the video and try to cache it , it simply
does not play any videos i can only play the live feeds transmission, this
is the squid.conf files and the store-id.pl i am using
acl SSL_ports port 443
acl SSL_ports port 5353
acl Safe_ports port 21
acl Safe_ports port 22
acl Safe_ports port 53
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 1025-65535
acl Safe_ports port 443
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 5353
acl Safe_ports port 18901-18909
acl Safe_ports port 1818
acl Safe_ports port 39190
acl Safe_ports port 40000-40010
acl Safe_ports port 7777
acl Safe_ports port 19101
acl Safe_ports port 27780
acl Safe_ports port 29000
acl Safe_ports port 22100
acl Safe_ports port 5121
acl Safe_ports port 6000-6152
acl Safe_ports port 2001
acl Safe_ports port 9601-9602
acl Safe_ports port 8085
acl Safe_ports port 11011-11041
acl Safe_ports port 13413
acl Safe_ports port 19000
acl Safe_ports port 5105
acl Safe_ports port 10009
acl Safe_ports port 12060-12070
acl Safe_ports port 6000-6001
acl Safe_ports port 29200
acl Safe_ports port 10402
acl Safe_ports port 9600
acl Safe_ports port 15002
acl Safe_ports port 16402-16502
acl Safe_ports port 5126
acl Safe_ports port 3010
acl Safe_ports port 11031
acl Safe_ports port 11440-11460
acl Safe_ports port 11100-11125
acl Safe_ports port 4300
acl Safe_ports port 12011
acl Safe_ports port 12110
acl Safe_ports port 15001
acl Safe_ports port 15002
acl Safe_ports port 7341
acl Safe_ports port 7451
acl Safe_ports port 7808
acl Safe_ports port 30000
acl Safe_ports port 9001
acl Safe_ports port 9030
acl Safe_ports port 953
acl Safe_ports port 42051-42052
acl Safe_ports port 36567
acl Safe_ports port 8001
acl Safe_ports port 14000-14050
acl Safe_ports port 27019
acl Safe_ports port 28901-28920
acl Safe_ports port 7201-7208
acl Safe_ports port 17001-17002
acl Safe_ports port 14300-14440
acl Safe_ports port 15100-15150
acl Safe_ports port 7770-7790
acl Safe_ports port 16320-16340
acl Safe_ports port 9000-9160
acl Safe_ports port 7200
acl Safe_ports port 7400
acl Safe_ports port 7106
acl Safe_ports port 7999
acl Safe_ports port 47611
acl Safe_ports port 36567
acl Safe_ports port 10087
acl Safe_ports port 27000-27050
acl Safe_ports port 27014-27050
acl Safe_ports port 4380
acl Safe_ports port 3478
acl Safe_ports port 4379
acl Safe_ports port 8890
acl Safe_ports port 9339
acl Safe_ports port 8890
acl Safe_ports port 7200-7210
acl Safe_ports port 7450-7460
acl Safe_ports port 8000
acl Safe_ports port 64990-65010
acl CONNECT method CONNECT
ssl_bump splice localhost
acl 9 at_step SslBump1
acl 10 at_step SslBump2
acl 11 at_step SslBump3
ssl_bump peek 9 all
ssl_bump bump 10 all
ssl_bump bump 11 all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 16 startup=1 idle=1
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER #this line fixing www.gmail.com,
mail.yahoo.com for some errors
always_direct allow all
On 17/04/19 3:11 am, tester100 wrote:
> when i press refresh or when i clean history on my browser and login to
> facebook again i can see this memory hits on the log.. with .mp4 video
> extensions but cannot play it at all
Yes those Browser controls are normally the way one forces proxies
awareness of problems to make them fix this type of issue.
However, the proxy admin configured a lot of ignore-* options on the
refresh_patterns as well as a global conversion of reload into IMS
fetches ("reload_into_ims on"). As a result the Browser reload or
revalidate requests get ignored or converted into less effective fetches.
> Hi guys
> i am currently using this setup on my squid 3.5.28 version for https
> filtering using ssl certificate
> its caching http and https (some specific extensions) on facebook i can
> aldo when i press play to play the video and try to cache it , it simply
> does not play any videos i can only play the live feeds transmission, this
> is the squid.conf files and the store-id.pl i am using
> # SQUID CONFIGURATION OF CYBERSCIE.COM
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> acl localnet src 192.168.1.0/24
> acl localnet src 192.168.2.0/24
> acl SSL_ports port 443
> acl SSL_ports port 5353
> acl Safe_ports port 21
> acl Safe_ports port 22
> acl Safe_ports port 53
> acl Safe_ports port 70
> acl Safe_ports port 80
> acl Safe_ports port 210
> acl Safe_ports port 280
> acl Safe_ports port 1025-65535
The above line means that any of the *many* entries you have for ports
over 1024 are a pointless waste of memory and CPU cycles.
Please start by running "squid -k parse" on your config and fix all the
issues that get mentioned.
The above pattern does not match what it may seem to match.
A) there is no path-segment delimiter ('/' or '\?') required. So the
thing that _looks_ like a file extension can match when existing in the
domain name (eg http://hello.ytimg.com.gif-fy.invalid/ will be allowed)
It is pointless to place "(.*)" or ".*" or ".+" at the start or end of a
Arbitrary suffix is implicit and all this will do is slow the regex
processing down even further trying to match the entire (possibly VERY
long) URL against ".*"
That goes for all places you use regex patterns.
1) override-lastmod is generally a bad idea. It prevents the
Last-Modified header telling Squid that an object as any previous time
since it was updated - this option actively *reduces* the time objects
can be cached.
2) overide-expire should not be used for sites like Facebook which
provide well behaved cacheability headers. Like (1) it actively breaks
caching with often the opposite result to what one wants.
3) ignore-reload is part of why your Browser "refresh" attempts are
failing to do anything at all.
4) override-expire is *shortening* the caching time for these objects.
Facebook actually has pretty good cacheability once you get past the
problem of it all being hidden behind crypto.
5) ignore-no-store is a bad idea. This *forces* private details from one
persons FB profile pages to be delivered to other clients. It exists
only because there are some very badly designed sites abusing the
Cache-Control header. Facebook is *not* one of those sites.
6) ignore-private has been made relatively safe in the latest Squid. BUT
the revalidation mechanisms are required for it to be safe at all.
It is a very bad idea to use with either ignore-reload or
ignore-must-revalidate ... let alone both at once. Security
vulnerabilities will exist as a result of these options used together.
7) store-stale is in a similar position of requiring revalidation /
reload to be possible. But with less severe results - only badly broken
web page display.
These issues caused by (5), (6), and (7) could be at least a part of
what is going wrong. Probably also some other things.
Notice that if the earlier FB patterns did not match this makes videos
and audio URLs forced to be immediately stale/expired, forced to be
cached anyway, forced all clients/users to get the same objects, and
then also prohibits anything from updating the cache object if a broken
one gets into cache somehow.
You were saying something about video problems?
The remainder of your refresh_patterns show a lot of repeats of these
Remember: these options are dangerous. Use with great care. And
understand what the options are doing
> This way i can play the facebook videos, but no caching is done i only get
> http_port 3129 tproxy ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt
Do you know what the differences between these two port lines are?
In one the client is aware that the proxy exists and sends details to it
in a CONNECT request.
On 18/04/19 12:03 pm, tester100 wrote:
> big thxs for all your input
> it just shows me that i know nothing about squid that i am complete newbie,
> and that i need to spend my time reading all the manual and config examples.
I did not mean to imply a lot of reading was needed. Just some in
relation to the items I mentioned as probably leading to your issue. The
rest can be long-term goals to fix up.
FYI: The Squid wiki <http://wiki.squid-cache.org/> and config manual
<http://www.squid-cache.org/Doc/config/> (the v3.5 pages for your Squid
version) are the most accurate information sources behind reading the
code itself. But keep in mind that Squid-3 is also outdated nowdays,
Squid-4 and later have changed some significant feature behaviours.
Most of the things I pointed out were useful at some point (eg Squid-2),
and may still be for some use-cases. But for which Squid behaviour has
changed since how-tos and tutorials advising them were written.
> big thanks i will have some guidance on reading and research for the next
> couple of days now.
You are welcome. Any further questions or advice wanted please feel free
to ask. Helping each other use Squid is a what this mailing list is
about - for experts and newbies alike.
> On 18/04/19 12:03 pm, tester100 wrote:
>> big thxs for all your input
>> it just shows me that i know nothing about squid that i am complete newbie,
>> and that i need to spend my time reading all the manual and config examples.
> I did not mean to imply a lot of reading was needed. Just some in
> relation to the items I mentioned as probably leading to your issue. The
> rest can be long-term goals to fix up.
> FYI: The Squid wiki <http://wiki.squid-cache.org/> and config manual
> <http://www.squid-cache.org/Doc/config/> (the v3.5 pages for your Squid
> version) are the most accurate information sources behind reading the
> code itself. But keep in mind that Squid-3 is also outdated nowdays,
> Squid-4 and later have changed some significant feature behaviours.
> Most of the things I pointed out were useful at some point (eg Squid-2),
> and may still be for some use-cases. But for which Squid behaviour has
> changed since how-tos and tutorials advising them were written.
>> big thanks i will have some guidance on reading and research for the next
>> couple of days now.
> You are welcome. Any further questions or advice wanted please feel free
> to ask. Helping each other use Squid is a what this mailing list is
> about - for experts and newbies alike.
> squid-users mailing list
> [hidden email] > http://lists.squid-cache.org/listinfo/squid-users
> Just to add:
> Facebook has these headers for many of their videos:
> max-age=1209600, no-transform
> So what happens is that the client browser will save these URLs for a
> very long time and it's good.
As will Squid unless the admin has configured refresh_pattern options
that force expiry earlier.