Re: How to strip/ignore header in squid?

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Kurt Buff wrote:
> On Wed, May 13, 2009 at 18:18, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> > > On Tue, May 12, 2009 at 17:09, Chris Robertson <crobertson@xxxxxxx> wrote:
> > > > Kurt Buff wrote:
> > > > > All,
> > > > >
> > > > > My user population is having frequent problems fetching PDFs through
> > > > > our squid proxy, and I think I've narrowed down the issue, though I'm
> > > > > not 100% certain of it.
> > > > >
> > > > > I see two deny messages from our Sidewinder firewall, that are
> > > > > associated with the URLs regarding request headers for the PDFs:
> > > > >
> > > > > Â  Â  "Request denied with request header Unless-Modified-Since."
> > > > >
> > > > > and
> > > > >
> > > > > Â  Â  "Request denied with request header Translate."
> > > > >
> > > > > Is there a way to cause squid to ignore these request headers from the
> > > > > browsers,
> > > > http://www.squid-cache.org/Doc/config/header_access/
> > > >
> > > > > Â or to replace them with something benign?
> > > > http://www.squid-cache.org/Doc/config/header_replace/
> > > >
> > > > > Â Is it reasonable
> > > > > to do so, or will that just cause further issues?
> > > > There, I can't help. Â I'd suggest contacting support for the Firewall,
> > > > and
> > > > get the problem solved (or at least identified) there.
> > > >
> > > > > Any help and thoughts appreciated.
> > > > >
> > > > > Kurt
> > > >
> > > > Chris
> > > Unfortunately, adding the two directives:
> > >
> > >      header_access Unless-Modified-Since deny all
> > >      header_access Translate deny all
> > >
> > > Generates the following errors at start and stop of squid:
> > >
> > >     2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:40 unrecognized:
> > > 'header_access'
> > >     2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:41 unrecognized:
> > > 'header_access
> > >
> > > Under FreeBSD, a 'make config' shows that SQUID_STRICT_HTTP is
> > > deselected. From my reading of the make file, this means that the
> > > directive --disable-http-violations is not in effect.
> > >
> > > Will I have to recompile with --enable-http-violations to be able to
> > > use these directives?
> > >
> > > Kurt
> > Yes.
> >
> > Amos
>
> I came to that conclusion on my own, and did recompile with that
> option ('make --enable-http-violations' then 'make install', and it
> went without error) but it didn't help, as I'm getting the same error
> message.
>
> I'm sure I'm missing something, but need a clue...
>
> Kurt

Just done a quick check of the code and it looks like those two 
particular headers are not in the 'standard' set known to squid.

From the descriptions I can find about the header I thunk we should be 
adding it as known and allowing some security controls over it.

Patch coming. What release of Squid are you using?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
  Current Beta Squid 3.1.0.7