Re: How to strip/ignore header in squid?

Kurt Buff <kurt.buff@xxxxxxxxx> · Wed, 13 May 2009 21:07:56 -0700

On Wed, May 13, 2009 at 20:16, Robert Collins <robertc@xxxxxxxxxxxxxxx> wrote:
> On Wed, 2009-05-13 at 19:39 -0700, Kurt Buff wrote:
>
>> I came to that conclusion on my own, and did recompile with that
>> option ('make --enable-http-violations' then 'make install', and it
>> went without error) but it didn't help, as I'm getting the same error
>> message.
>>
>> I'm sure I'm missing something, but need a clue...
>
> Are you sure you're running a squid with that enabled? (squid -v).
>
> and that said, the first of those headers is actually really useful, you
> should get your firewall updated to support HTTP/1.1.
>
> -Rob

Per my off-list email, the firewall is a newish, incredibly paranoid
sidewinder, and I understand why it's dropping the
Unless-Modified-Since header - there were some nasty exploits against
it a while back. I don't know if those are still relevant, though.

As for squid -v, these are the results:

zsquid2# squid -v
Squid Cache: Version 3.0.STABLE15
configure options:  '--with-default-user=squid'
'--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin'
'--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid'
'--enable-removal-policies=lru heap' '--disable-linux-netfilter'
'--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic digest
negotiate ntlm' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB
squid_radius_auth YP' '--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user session unix_group
wbinfo_group' '--enable-ntlm-auth-helpers=SMB'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--with-pthreads'
'--enable-storeio=ufs diskd null aufs' '--enable-icmp'
'--enable-icap-client' '--enable-kqueue'
'--enable-err-languages=Armenian Azerbaijani Bulgarian Catalan Czech
Danish  Dutch English Estonian Finnish French German Greek  Hebrew
Hungarian Italian Japanese Korean Lithuanian  Polish Portuguese
Romanian Russian-1251 Russian-koi8-r  Serbian Simplify_Chinese Slovak
Spanish Swedish  Traditional_Chinese Turkish Ukrainian-1251
Ukrainian-koi8-u Ukrainian-utf8'
'--enable-default-err-language=templates' '--enable-http-violations'
'--prefix=/usr/local' '--mandir=/usr/local/man'
'--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.0'
'build_alias=i386-portbld-freebsd7.0' 'CC=cc' 'CFLAGS=-O2
-fno-strict-aliasing -pipe ' 'LDFLAGS=' 'CPPFLAGS=' 'CXX=c++'
'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'

I see '--enable-http-violations' in there...

/usr/local/etc/squid/squid.conf looks like so, in case you can spot
something I did wrong:

http_port 3128
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

cache_mem 512 MB
cache_dir aufs /squid 54476 512 1024

logformat combined %>a %>A %<A [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss

access_log syslog combined
access_log /usr/local/squid/logs/access.log combined
logfile_rotate 90

acl QUERY urlpath_regex cgi-bin \?
# acl all src 0.0.0.0/0.0.0.0
acl our_networks src 192.168.11.0/24 192.168.12.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Header_access lines below added to alleviate issue with downloading PDFs
# 2009-05-12
header_access Unless-Modified-Since deny all
header_access Translate deny all

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow our_networks
http_access deny all
http_reply_access allow all
http_access allow localnet
http_access deny all

icp_access allow localnet
icp_access deny all

htcp_access allow localnet
htcp_access deny all

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
visible_hostname zsquid2.mycompany.com
icp_port 3130
coredump_dir /usr/local/squid/cache