mån 2015-03-16 klockan 04:03 +0200 skrev Eliezer Croitoru: > My main concern until now is that if squid would have the cached object > in a digest url form such as: > http://digest.squid.internal/MD5/xyz123" > > Squid would in many cases try to verify against the origin server that > the cached object has the same ETAG and MODIFICATION time.
The Digest alone is only on the body, and says nothing about header authority. You need to get trusted object headers from somewhere else, i.e. the requested origin. Once you have the authoritative headers you can splice in the digest verified response body. This is in some sense similar to the header merging needed in ETag based variant handling on a single URL, but even more so as you must not take headers from one random URL and apply them to another requested URL without permission unless the requested URL permits this. Violating this opens a range of security concerns where headers may be injected giving a different result than intended by the origin. Regards Henrik _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev