Re: [squid-users] How to strip/ignore header in squid?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 15 May 2009 16:56:34 +1200

Kurt Buff wrote:
> On Wed, May 13, 2009 at 18:18, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>> On Tue, May 12, 2009 at 17:09, Chris Robertson <crobertson_at_gci.net> wrote:
>>>> Kurt Buff wrote:
>>>>> All,
>>>>>
>>>>> My user population is having frequent problems fetching PDFs through
>>>>> our squid proxy, and I think I've narrowed down the issue, though I'm
>>>>> not 100% certain of it.
>>>>>
>>>>> I see two deny messages from our Sidewinder firewall, that are
>>>>> associated with the URLs regarding request headers for the PDFs:
>>>>>
>>>>> Â Â "Request denied with request header Unless-Modified-Since."
>>>>>
>>>>> and
>>>>>
>>>>> Â Â "Request denied with request header Translate."
>>>>>
>>>>> Is there a way to cause squid to ignore these request headers from the
>>>>> browsers,
>>>> http://www.squid-cache.org/Doc/config/header_access/
>>>>
>>>>> Â or to replace them with something benign?
>>>> http://www.squid-cache.org/Doc/config/header_replace/
>>>>
>>>>> Â Is it reasonable
>>>>> to do so, or will that just cause further issues?
>>>>>
>>>> There, I can't help. Â I'd suggest contacting support for the Firewall,
>>>> and
>>>> get the problem solved (or at least identified) there.
>>>>
>>>>> Any help and thoughts appreciated.
>>>>>
>>>>> Kurt
>>>>>
>>>>
>>>> Chris
>>> Unfortunately, adding the two directives:
>>>
>>> header_access Unless-Modified-Since deny all
>>> header_access Translate deny all
>>>
>>> Generates the following errors at start and stop of squid:
>>>
>>> 2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:40 unrecognized:
>>> 'header_access'
>>> 2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:41 unrecognized:
>>> 'header_access
>>>
>>> Under FreeBSD, a 'make config' shows that SQUID_STRICT_HTTP is
>>> deselected. From my reading of the make file, this means that the
>>> directive --disable-http-violations is not in effect.
>>>
>>> Will I have to recompile with --enable-http-violations to be able to
>>> use these directives?
>>>
>>> Kurt
>>>
>> Yes.
>>
>> Amos
>
> I came to that conclusion on my own, and did recompile with that
> option ('make --enable-http-violations' then 'make install', and it
> went without error) but it didn't help, as I'm getting the same error
> message.
>
> I'm sure I'm missing something, but need a clue...
>
> Kurt

Just done a quick check of the code and it looks like those two
particular headers are not in the 'standard' set known to squid.

 From the descriptions I can find about the header I thunk we should be
adding it as known and allowing some security controls over it.

Patch coming. What release of Squid are you using?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.7
Received on Fri May 15 2009 - 04:56:41 MDT

This archive was generated by hypermail 2.2.0 : Fri May 15 2009 - 12:00:02 MDT