| View previous topic :: View next topic |
| Author |
Message |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3439
|
 Posted: Mon Nov 18, 2024 9:34 pm Post subject: Can squid change content-encoding on the fly? |
 |
|
Anyone knows whether squid is capable of changing content-encoding for cached responses and how to enable it?
Haven't dug too deep, but it looks like cloudflare is trying to be smart while some http clients are not, and it results in feeding brotli-compressed files to applications which don't brotli.
Since I already have a squid proxy set up for cache, I'd like it to decompress the response body before sending it to the client.
_________________
Make Computing Fun Again |
|
| Back to top |
|
 |
Banana
Moderator
Joined: 21 May 2004
Posts: 1744
Location: Germany
|
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3439
|
| Posted: Tue Nov 19, 2024 10:11 am Post subject: |
|
|
Yeah, well, it's not _my_ cloudflare.
From what I found during my quick search on the internet, CF strips this header completely and enables or disables compression on its own proxy based on user agent and the zone policy. Didn't test it yet.
Still, I have several clients using the same resources, some of which do understand brotli and some don't. Assuming everything is working as expected:
Brotli-enabled client happens to go first, allowing compressed response
Squid stores the compressed response
Dumb client requests the same resoure
Squid serves the same compressed response from cache.
Dumb client goes WTF?!
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 1744
Location: Germany
|
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22686
|
| Posted: Tue Nov 19, 2024 1:49 pm Post subject: |
|
|
| In the observed failure case, what HTTP headers were sent by the Cloudflare response and by the dumb client request? I am curious whether Squid was provided with enough context to understand that it should not use the cached brotli response when serving the dumb client. If the dumb client omits Accept-Encoding: brotli and the Cloudflare response included Vary: Accept-Encoding, then I would expect Squid to react to that by considering the cached response unusable due to the mismatch between the dumb client's Accept-Encoding and the original Accept-Encoding request that populated the cache. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3439
|
| Posted: Tue Nov 19, 2024 2:33 pm Post subject: |
|
|
> Anyway, have a look here: https://wiki.gentoo.org/wiki/Privoxy
Yeah, it looks like I'm gonna need another instance of mitmdump on top of squid. It handles decompression just fine. I feel like I got to the point where I need to start making notes of which proxy is doing what on which port though, and it sucks.
Hu, to satisfy your curiosity, I dumped the headers (and removed some identifying information):
| Code: | request Host:
request User-Agent:
request Accept: */*
request Accept-Language: en-US,en;q=0.5
request Accept-Encoding: gzip, deflate, br
request Referer:
request Origin:
request Connection: keep-alive
request Sec-Fetch-Dest: empty
request Sec-Fetch-Mode: cors
request Sec-Fetch-Site: cross-site
request Host:
request User-Agent:
request Accept: application/json, text/javascript, */*; q=0.01
request Accept-Language: en-US,en;q=0.5
request Accept-Encoding: gzip, deflate, br
request X-Requested-With: XMLHttpRequest
request Referer:
request Cookie:
request Connection: keep-alive
request Sec-Fetch-Dest: empty
request Sec-Fetch-Mode: cors
request Sec-Fetch-Site: same-origin
|
| Code: | response Date:
response Content-Type:
response Content-Length:
response Last-Modified:
response ETag:
response Access-Control-Allow-Origin:
response Access-Control-Allow-Credentials: true
response Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
response Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
response CF-Cache-Status: MISS
response Expires:
response Cache-Control: public, max-age=14400
response Accept-Ranges: bytes
response Vary: Accept-Encoding
response Server: cloudflare
response CF-RAY:
response X-Cache: MISS from squid.local
response X-Cache-Lookup: MISS from squid.local:3128
response Connection: keep-alive
response Server: ddos-guard
response Set-Cookie:
response Strict-Transport-Security: max-age=31536000, max-age=63072000;includeSubDomains;preload
response Content-Security-Policy: upgrade-insecure-requests;
response Content-Type: text/html; charset=UTF-8
response Vary: Accept-Encoding
response Cache-Control: no-cache
response Date:
response Expires:
response access-control-allow-methods: GET, HEAD, OPTIONS
response access-control-allow-headers: Origin,Range,Accept-Encoding,Referer,Cache-Control
response access-control-expose-headers: Server,Content-Length,Content-Range,Date
response Content-Encoding: gzip
response referrer-policy: no-referrer-when-downgrade
response x-xss-protection: 1; mode=block
response x-content-type-options: nosniff
response Age: 0
response DDG-Cache-Status: MISS
response X-Cache: MISS from squid.local
response X-Cache-Lookup: HIT from squid.local:3128
response Transfer-Encoding: chunked
response Connection: keep-alive
|
So, looks like it should have worked, but didn't.
Still, I don't think downloading it again would be a good solution. It is a caching proxy, it exists solely to reuse previously seen responses. Yeah, it definitely could do a better job.
Anyway, I'll leave it for another day or 2, and if nobody comes up with any clever ideas to handle it with squid alone, I'll just add another proxy to the chain.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 1744
Location: Germany
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
