problems with SQUID 3.x and IBM Proventia

Udo Rader <listudo@xxxxxxxxxxxxxxx> · Wed, 22 Apr 2009 15:57:41 +0200

Hi,

one of our customers has an issue with a Debian Lenny based squid 3.x in 
connection with an IBM Proventia security appliance.

The setup is like this:

internet <-> proventia <-> squid

Now proventia comes with a transparent web content filter, removing 
dangerous things (viruses, ...) from HTTP traffic.

Unfortunately this transparent filter rewrites the HTTP headers and 
sometimes it even corrupts them in a way that squid cannot deal with it 
and refuses to further process the content. The cache.log then contains 
a message like this one:

-------CUT-------
2009/04/22 11:09:23| WARNING: HTTP header contains NULL characters 
{Date: Wed, 22 Apr 2009 09:09:23 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg
-------CUT-------

The problem probably is the missing trailing double quote at the end of 
the filename.

I've verified the problem using telnet:

on the proxy server itself, connecting through proventia:
--------CUT--------
Proxy2:~# telnet www.example.com 80
Trying 192.168.1.0...
Connected to www.example.com
Escape character is '^]'.
GET 
/main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2 
HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 22 Apr 2009 09:02:40 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg
Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
Expires: Thu, 22 Apr 2010 09:02:40 GMT
Connection: close
Content-Length: 8234
Content-Type: image/jpeg
--------CUT--------

on the proxy server itself, connecting directly to the server (using a 
ssh tunnel at port 8088)
--------CUT--------
Proxy2:~# telnet localhost 8088
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET 
/main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2 
HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 22 Apr 2009 09:03:03 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg"
Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
Content-length: 8234
Expires: Thu, 22 Apr 2010 09:03:03 GMT
Connection: close
Content-Type: image/jpeg
--------CUT--------

So of course the problem is proventia corrupting the HTTP headers and we 
will raise an issue about that with IBM.

But for the time being: is there a chance to make squid more "tolerant" 
about those kind of problems? Without surprize I did not find any 
fitting config options :-)

--
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com