Hi,
one of our customers has an issue with a Debian Lenny based squid 3.x in
connection with an IBM Proventia security appliance.
The setup is like this:
internet <-> proventia <-> squid
Now proventia comes with a transparent web content filter, removing
dangerous things (viruses, ...) from HTTP traffic.
Unfortunately this transparent filter rewrites the HTTP headers and
sometimes it even corrupts them in a way that squid cannot deal with it
and refuses to further process the content. The cache.log then contains
a message like this one:
-------CUT-------
2009/04/22 11:09:23| WARNING: HTTP header contains NULL characters
{Date: Wed, 22 Apr 2009 09:09:23 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg
-------CUT-------
The problem probably is the missing trailing double quote at the end of
the filename.
I've verified the problem using telnet:
on the proxy server itself, connecting through proventia:
--------CUT--------
Proxy2:~# telnet www.example.com 80
Trying 192.168.1.0...
Connected to www.example.com
Escape character is '^]'.
GET
/main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2
HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 22 Apr 2009 09:02:40 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg
Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
Expires: Thu, 22 Apr 2010 09:02:40 GMT
Connection: close
Content-Length: 8234
Content-Type: image/jpeg
--------CUT--------
on the proxy server itself, connecting directly to the server (using a
ssh tunnel at port 8088)
--------CUT--------
Proxy2:~# telnet localhost 8088
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET
/main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2
HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 22 Apr 2009 09:03:03 GMT
Server: Apache/2.0.53 (Linux/SUSE)
X-Powered-By: PHP/4.3.10
Content-Disposition: inline; filename="Lady.jpg"
Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
Content-length: 8234
Expires: Thu, 22 Apr 2010 09:03:03 GMT
Connection: close
Content-Type: image/jpeg
--------CUT--------
So of course the problem is proventia corrupting the HTTP headers and we
will raise an issue about that with IBM.
But for the time being: is there a chance to make squid more "tolerant"
about those kind of problems? Without surprize I did not find any
fitting config options :-)
--
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com