Re: [squid-users] Youtube redirection loop?
Solved. I've add 3975 backport patch, then this one: acl text-html rep_mime_type text/html acl http302 http_status 302 store_miss deny text-html store_miss deny http302 send_hit deny text-html send_hit deny http302 and this one: # For YT block useragent header acl googledomain_ua_deny dstdomain .youtube.com .googlevideo.com request_header_access User-Agent deny googledomain_ua_deny Now loop is gone. Note: strip User-Agent may lead some side effect! 08.05.15 3:25, HackXBack пишет: you are right, but this patch still work with me. i dont know if we can find better solution for this like you said by acl -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671179.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I think, this loop is changed in YT during last year. HTML5 was winished since 2015. YT URL scheme was chagnged this year. So, text/html is not valid for prevention looping. I see text/plain redirector in YT exchange. 08.05.15 2:59, HackXBack пишет: for me this patch work, but did you find this simple solution ? btw this loop is not new i use this patch more than 1 year -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671177.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVS9aDAAoJENNXIZxhPexG3qgH/1MTrlqDfj7/RKklcpewbDQ4 voOOVqsqfyv/8muLDRcV5l0mtXCWSb4pCoZADRCnHfhTXIkvQAmblTLUuS9xMrWb JYgqiPAKV7xJ86rEL5PyldGGphxMjCnkuTzqYGREEUyDfn3tCh7qGbtWvVdwjBBP kYprY2v7ehaa0tZ39UEwvYX3Vc+meyMO4hBMlRuoIasQDPXk5+sIkvtAbSi4rBYP /m1/lwbJU7ADYOAuPfMTCZJCiEXQFriDITBAcrn8J/gm/ARkRU9VXJf1HPZFAvkC CfQHY/M2OuI2+5TWCf2nu556+Ct8/oMQ0BlFrhcEnGKC/PCpQEkpW7BxljibAIs= =gceU -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
you are right, but this patch still work with me. i dont know if we can find better solution for this like you said by acl -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671179.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Feature with acl will be useful. Not only YT uses this redirection scheme. 08.05.15 3:25, HackXBack пишет: you are right, but this patch still work with me. i dont know if we can find better solution for this like you said by acl -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671179.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVS98ZAAoJENNXIZxhPexG1skIAJBrsJKJryX7HJMqpMjD6zDk sGuEyVZc2jbfu86wssdbe8WeEydKMGVmYuJ3QeQO7D/xHoIL647z4AriaEeDNKgK o4gPq6VqA6PwU9jLxCT0/HoJqXjnjYNy7aAazqF1at8pp/RtDhePe+8u59qO4U54 U1lWwL/OvpKDm63LsKU2EjHOdZOvm3QH+d8vz6rWVto+ZO5/omI0vKR+DT9iqEwI cQmtbuQ4KMEa2rmTq9So5Ih0ZI+n+DZ9sWSw7XOWguw/AFS1Bp24RXALXGiQ/oGJ 9iLXYO1fcDdnxM8XaJNvrqrCWxXWp0HkbiPbQ24d9Y729wXmApZuM9B/qD5IbDo= =/tGd -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 For 3.4.x series need patch. Correct patch. This copy-n-pasted is broken. Also, you have forgotten one thing: YT redirector has text/plain mime type, not text/html. Just trace your YT session and check every exchange between client and server. In general: We can get very simple and reliable solution, if we can focuse rep_mime_type acl by single domain. That's all we need. 05.05.15 4:07, HackXBack пишет: store_miss deny http302 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVS3fOAAoJENNXIZxhPexGOQsH/j+CZzrSF1kHeJ0gFzrhH3D+ YsfBIHVdH+89GQcgqhHulnLMf5RxscHaCt318BNvZpk1eOLlimxGKw/AYXRekZ5c uDM05HNXcykj1sHYlepIcl+5aDrNIHs4aW8lhf/uo+wc8YSxxTo9JhSMde7q0H81 xz7p9dGm+mQ/JzzkCqDevynMojb3Qe1+DNWeqtbti2JaxBhzxN/vYfsFk+Gm8ImT bto/Z2C9moas7cFrIaGnmD0sbOJsu4OOXW1bru4Ne7ux2nbH2OtiYl6cN1GnUxq7 0g/0gtTfwWKy0YBzMbrt0Bu4pZ1rXKYV1rbbiyR5hdmojHL32Mmez/CqRoG9lPs= =EPjy -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
05.05.15 4:07, HackXBack пишет: Okay Sir, this is the solution 1st: put this conf in your squid.conf for looping 302 on youtube acl text-html rep_mime_type text/html acl http302 http_status 302 store_miss deny text-html store_miss deny http302 send_hit deny text-html send_hit deny http302 This works on 3.5.x and above only. store_* directives absent in 3.4.x series. 2nd: use this patch: --- src/client_side_request.cc 2014-03-09 06:40:56.0 -0300 +++ src/client_side_request.cc 2014-04-21 02:53:11.277155130 -0300 @@ -545,6 +545,16 @@ } debugs(85, 3, HERE validate IP clientConn-local non-match from Host: IP ia-in_addrs[i]); } + +if (true) { +unsigned short port = clientConn-local.port(); +debugs(85, 3, HERE [anti-forgery] Host-non-matched remote IP ( clientConn-local ) was replaced with the first Host resolved IP ( ia-in_addrs[0] : clientConn-local.port() )); +clientConn-local = ia-in_addrs[0]; +clientConn-local.port(port); +http-request-flags.hostVerified = true; +http-doCallouts(); +return; +} } debugs(85, 3, HERE FAIL: validate IP clientConn-local possible from Host:); hostHeaderVerifyFailed(local IP, any domain IP); --- src/Server.cc +++ src/Server.cc @@ -31,6 +31,7 @@ */ #include squid.h +#include acl/FilledChecklist.h #include acl/Gadgets.h #include base/TextException.h #include comm/Connection.h @@ -174,6 +175,8 @@ // give entry the reply because haveParsedReplyHeaders() expects it there entry-replaceHttpReply(theFinalReply, false); // but do not write yet haveParsedReplyHeaders(); // update the entry/reply (e.g., set timestamps) +if (EBIT_TEST(entry-flags, ENTRY_CACHABLE) blockCaching()) +entry-release(); entry-startWriting(); // write the updated entry to store return theFinalReply; @@ -533,6 +536,24 @@ currentOffset = partial ? theFinalReply-content_range-spec.offset : 0; } +/// whether to prevent caching of an otherwise cachable response +bool +ServerStateData::blockCaching() +{ +if (const Acl::Tree *acl = Config.accessList.storeMiss) { +// This relatively expensive check is not in StoreEntry::checkCachable: +// That method lacks HttpRequest and may be called too many times. +ACLFilledChecklist ch(acl, originalRequest(), NULL); +ch.reply = const_castHttpReply*(entry-getReply()); // ACLFilledChecklist API bug +HTTPMSGLOCK(ch.reply); +if (ch.fastCheck() != ACCESS_ALLOWED) { // when in doubt, block +debugs(20, 3, store_miss prohibits caching); +return true; +} +} +return false; +} + HttpRequest * ServerStateData::originalRequest() { --- src/Server.h +++ src/Server.h @@ -131,6 +131,8 @@ /// Entry-dependent callbacks use this check to quit if the entry went bad bool abortOnBadEntry(const char *abortReason); +bool blockCaching(); + #if USE_ADAPTATION void startAdaptation(const Adaptation::ServiceGroupPointer group, HttpRequest *cause); void adaptVirginReplyBody(const char *buf, ssize_t len); --- src/SquidConfig.h +++ src/SquidConfig.h @@ -375,6 +375,8 @@ acl_access *AlwaysDirect; acl_access *ASlists; acl_access *noCache; +acl_access *sendHit; +acl_access *storeMiss; acl_access *stats_collection; #if SQUID_SNMP --- src/cf.data.pre +++ src/cf.data.pre @@ -4843,18 +4843,97 @@ NAME: cache no_cache TYPE: acl_access DEFAULT: none -DEFAULT_DOC: Allow caching, unless rules exist in squid.conf. +DEFAULT_DOC: By default, this directive is unused and has no effect. LOC: Config.accessList.noCache DOC_START - A list of ACL elements which, if matched and denied, cause the request to - not be satisfied from the cache and the reply to not be cached. - In other words, use this to force certain objects to never be cached. - - You must use the words 'allow' or 'deny' to indicate whether items - matching the ACL should be allowed or denied into the cache. + Requests denied by this directive will not be served from the cache + and their responses will not be stored in the cache. This directive + has no effect on other transactions and on already cached responses. This clause supports both fast and slow acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + + This and the two other similar caching directives listed below are + checked at different transaction processing stages, have different + access to response information, affect different cache operations, + and differ in slow ACLs support: + + * cache: Checked before Squid makes a hit/miss determination. + No access to reply information! + Denies both