Search squid archive

problems with SQUID 3.x and IBM Proventia

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

one of our customers has an issue with a Debian Lenny based squid 3.x in connection with an IBM Proventia security appliance.

The setup is like this:

internet <-> proventia <-> squid

Now proventia comes with a transparent web content filter, removing dangerous things (viruses, ...) from HTTP traffic.

Unfortunately this transparent filter rewrites the HTTP headers and sometimes it even corrupts them in a way that squid cannot deal with it and refuses to further process the content. The cache.log then contains a message like this one:

-------CUT-------
2009/04/22 11:09:23| WARNING: HTTP header contains NULL characters {Date: Wed, 22 Apr 2009 09:09:23 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg
-------CUT-------

The problem probably is the missing trailing double quote at the end of the filename.

I've verified the problem using telnet:

on the proxy server itself, connecting through proventia:
--------CUT--------
Proxy2:~# telnet www.example.com 80
Trying 192.168.1.0...
Connected to www.example.com
Escape character is '^]'.
GET /main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2 HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 22 Apr 2009 09:02:40 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg
Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
Expires: Thu, 22 Apr 2010 09:02:40 GMT
Connection: close
Content-Length: 8234
Content-Type: image/jpeg
--------CUT--------

on the proxy server itself, connecting directly to the server (using a ssh tunnel at port 8088)
--------CUT--------
Proxy2:~# telnet localhost 8088
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2 HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 22 Apr 2009 09:03:03 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg"
Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
Content-length: 8234
Expires: Thu, 22 Apr 2010 09:03:03 GMT
Connection: close
Content-Type: image/jpeg
--------CUT--------

So of course the problem is proventia corrupting the HTTP headers and we will raise an issue about that with IBM.

But for the time being: is there a chance to make squid more "tolerant" about those kind of problems? Without surprize I did not find any fitting config options :-)

--
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux