Re: [squid-users] Youtube redirection loop?
Solved. I've add 3975 backport patch, then this one: acl text-html rep_mime_type text/html acl http302 http_status 302 store_miss deny text-html store_miss deny http302 send_hit deny text-html send_hit deny http302 and this one: # For YT block useragent header acl googledomain_ua_deny dstdomain .youtube.com .googlevideo.com request_header_access User-Agent deny googledomain_ua_deny Now loop is gone. Note: strip User-Agent may lead some side effect! 08.05.15 3:25, HackXBack пишет: you are right, but this patch still work with me. i dont know if we can find better solution for this like you said by acl -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671179.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I think, this loop is changed in YT during last year. HTML5 was winished since 2015. YT URL scheme was chagnged this year. So, text/html is not valid for prevention looping. I see text/plain redirector in YT exchange. 08.05.15 2:59, HackXBack пишет: for me this patch work, but did you find this simple solution ? btw this loop is not new i use this patch more than 1 year -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671177.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVS9aDAAoJENNXIZxhPexG3qgH/1MTrlqDfj7/RKklcpewbDQ4 voOOVqsqfyv/8muLDRcV5l0mtXCWSb4pCoZADRCnHfhTXIkvQAmblTLUuS9xMrWb JYgqiPAKV7xJ86rEL5PyldGGphxMjCnkuTzqYGREEUyDfn3tCh7qGbtWvVdwjBBP kYprY2v7ehaa0tZ39UEwvYX3Vc+meyMO4hBMlRuoIasQDPXk5+sIkvtAbSi4rBYP /m1/lwbJU7ADYOAuPfMTCZJCiEXQFriDITBAcrn8J/gm/ARkRU9VXJf1HPZFAvkC CfQHY/M2OuI2+5TWCf2nu556+Ct8/oMQ0BlFrhcEnGKC/PCpQEkpW7BxljibAIs= =gceU -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
you are right, but this patch still work with me. i dont know if we can find better solution for this like you said by acl -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671179.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Feature with acl will be useful. Not only YT uses this redirection scheme. 08.05.15 3:25, HackXBack пишет: you are right, but this patch still work with me. i dont know if we can find better solution for this like you said by acl -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671179.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVS98ZAAoJENNXIZxhPexG1skIAJBrsJKJryX7HJMqpMjD6zDk sGuEyVZc2jbfu86wssdbe8WeEydKMGVmYuJ3QeQO7D/xHoIL647z4AriaEeDNKgK o4gPq6VqA6PwU9jLxCT0/HoJqXjnjYNy7aAazqF1at8pp/RtDhePe+8u59qO4U54 U1lWwL/OvpKDm63LsKU2EjHOdZOvm3QH+d8vz6rWVto+ZO5/omI0vKR+DT9iqEwI cQmtbuQ4KMEa2rmTq9So5Ih0ZI+n+DZ9sWSw7XOWguw/AFS1Bp24RXALXGiQ/oGJ 9iLXYO1fcDdnxM8XaJNvrqrCWxXWp0HkbiPbQ24d9Y729wXmApZuM9B/qD5IbDo= =/tGd -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 For 3.4.x series need patch. Correct patch. This copy-n-pasted is broken. Also, you have forgotten one thing: YT redirector has text/plain mime type, not text/html. Just trace your YT session and check every exchange between client and server. In general: We can get very simple and reliable solution, if we can focuse rep_mime_type acl by single domain. That's all we need. 05.05.15 4:07, HackXBack пишет: store_miss deny http302 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVS3fOAAoJENNXIZxhPexGOQsH/j+CZzrSF1kHeJ0gFzrhH3D+ YsfBIHVdH+89GQcgqhHulnLMf5RxscHaCt318BNvZpk1eOLlimxGKw/AYXRekZ5c uDM05HNXcykj1sHYlepIcl+5aDrNIHs4aW8lhf/uo+wc8YSxxTo9JhSMde7q0H81 xz7p9dGm+mQ/JzzkCqDevynMojb3Qe1+DNWeqtbti2JaxBhzxN/vYfsFk+Gm8ImT bto/Z2C9moas7cFrIaGnmD0sbOJsu4OOXW1bru4Ne7ux2nbH2OtiYl6cN1GnUxq7 0g/0gtTfwWKy0YBzMbrt0Bu4pZ1rXKYV1rbbiyR5hdmojHL32Mmez/CqRoG9lPs= =EPjy -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
05.05.15 4:07, HackXBack пишет:
Okay Sir,
this is the solution
1st: put this conf in your squid.conf
for looping 302 on youtube
acl text-html rep_mime_type text/html
acl http302 http_status 302
store_miss deny text-html
store_miss deny http302
send_hit deny text-html
send_hit deny http302
This works on 3.5.x and above only. store_* directives absent in 3.4.x
series.
2nd: use this patch:
--- src/client_side_request.cc 2014-03-09 06:40:56.0 -0300
+++ src/client_side_request.cc 2014-04-21 02:53:11.277155130 -0300
@@ -545,6 +545,16 @@
}
debugs(85, 3, HERE validate IP clientConn-local
non-match from Host: IP ia-in_addrs[i]);
}
+
+if (true) {
+unsigned short port = clientConn-local.port();
+debugs(85, 3, HERE [anti-forgery] Host-non-matched remote
IP ( clientConn-local ) was replaced with the first Host resolved
IP ( ia-in_addrs[0] : clientConn-local.port() ));
+clientConn-local = ia-in_addrs[0];
+clientConn-local.port(port);
+http-request-flags.hostVerified = true;
+http-doCallouts();
+return;
+}
}
debugs(85, 3, HERE FAIL: validate IP clientConn-local
possible from Host:);
hostHeaderVerifyFailed(local IP, any domain IP);
--- src/Server.cc
+++ src/Server.cc
@@ -31,6 +31,7 @@
*/
#include squid.h
+#include acl/FilledChecklist.h
#include acl/Gadgets.h
#include base/TextException.h
#include comm/Connection.h
@@ -174,6 +175,8 @@
// give entry the reply because haveParsedReplyHeaders() expects it
there
entry-replaceHttpReply(theFinalReply, false); // but do not write yet
haveParsedReplyHeaders(); // update the entry/reply (e.g., set
timestamps)
+if (EBIT_TEST(entry-flags, ENTRY_CACHABLE) blockCaching())
+entry-release();
entry-startWriting(); // write the updated entry to store
return theFinalReply;
@@ -533,6 +536,24 @@
currentOffset = partial ? theFinalReply-content_range-spec.offset :
0;
}
+/// whether to prevent caching of an otherwise cachable response
+bool
+ServerStateData::blockCaching()
+{
+if (const Acl::Tree *acl = Config.accessList.storeMiss) {
+// This relatively expensive check is not in
StoreEntry::checkCachable:
+// That method lacks HttpRequest and may be called too many times.
+ACLFilledChecklist ch(acl, originalRequest(), NULL);
+ch.reply = const_castHttpReply*(entry-getReply()); //
ACLFilledChecklist API bug
+HTTPMSGLOCK(ch.reply);
+if (ch.fastCheck() != ACCESS_ALLOWED) { // when in doubt, block
+debugs(20, 3, store_miss prohibits caching);
+return true;
+}
+}
+return false;
+}
+
HttpRequest *
ServerStateData::originalRequest()
{
--- src/Server.h
+++ src/Server.h
@@ -131,6 +131,8 @@
/// Entry-dependent callbacks use this check to quit if the entry went
bad
bool abortOnBadEntry(const char *abortReason);
+bool blockCaching();
+
#if USE_ADAPTATION
void startAdaptation(const Adaptation::ServiceGroupPointer group,
HttpRequest *cause);
void adaptVirginReplyBody(const char *buf, ssize_t len);
--- src/SquidConfig.h
+++ src/SquidConfig.h
@@ -375,6 +375,8 @@
acl_access *AlwaysDirect;
acl_access *ASlists;
acl_access *noCache;
+acl_access *sendHit;
+acl_access *storeMiss;
acl_access *stats_collection;
#if SQUID_SNMP
--- src/cf.data.pre
+++ src/cf.data.pre
@@ -4843,18 +4843,97 @@
NAME: cache no_cache
TYPE: acl_access
DEFAULT: none
-DEFAULT_DOC: Allow caching, unless rules exist in squid.conf.
+DEFAULT_DOC: By default, this directive is unused and has no effect.
LOC: Config.accessList.noCache
DOC_START
- A list of ACL elements which, if matched and denied, cause the request
to
- not be satisfied from the cache and the reply to not be cached.
- In other words, use this to force certain objects to never be cached.
-
- You must use the words 'allow' or 'deny' to indicate whether items
- matching the ACL should be allowed or denied into the cache.
+ Requests denied by this directive will not be served from the cache
+ and their responses will not be stored in the cache. This directive
+ has no effect on other transactions and on already cached responses.
This clause supports both fast and slow acl types.
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+
+ This and the two other similar caching directives listed below are
+ checked at different transaction processing stages, have different
+ access to response information, affect different cache operations,
+ and differ in slow ACLs support:
+
+ * cache: Checked before Squid makes a hit/miss determination.
+ No access to reply information!
+ Denies both
