On Thu, May 14, 2009 at 21:56, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > Kurt Buff wrote: >> >> On Wed, May 13, 2009 at 18:18, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>> >>>> On Tue, May 12, 2009 at 17:09, Chris Robertson <crobertson@xxxxxxx> >>>> wrote: >>>>> >>>>> Kurt Buff wrote: >>>>>> >>>>>> All, >>>>>> >>>>>> My user population is having frequent problems fetching PDFs through >>>>>> our squid proxy, and I think I've narrowed down the issue, though I'm >>>>>> not 100% certain of it. >>>>>> >>>>>> I see two deny messages from our Sidewinder firewall, that are >>>>>> associated with the URLs regarding request headers for the PDFs: >>>>>> >>>>>> Â Â "Request denied with request header Unless-Modified-Since." >>>>>> >>>>>> and >>>>>> >>>>>> Â Â "Request denied with request header Translate." >>>>>> >>>>>> Is there a way to cause squid to ignore these request headers from the >>>>>> browsers, >>>>> >>>>> http://www.squid-cache.org/Doc/config/header_access/ >>>>> >>>>>> Â or to replace them with something benign? >>>>> >>>>> http://www.squid-cache.org/Doc/config/header_replace/ >>>>> >>>>>> Â Is it reasonable >>>>>> to do so, or will that just cause further issues? >>>>>> >>>>> There, I can't help. Â I'd suggest contacting support for the Firewall, >>>>> and >>>>> get the problem solved (or at least identified) there. >>>>> >>>>>> Any help and thoughts appreciated. >>>>>> >>>>>> Kurt >>>>>> >>>>> >>>>> Chris >>>> >>>> Unfortunately, adding the two directives: >>>> >>>> header_access Unless-Modified-Since deny all >>>> header_access Translate deny all >>>> >>>> Generates the following errors at start and stop of squid: >>>> >>>> 2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:40 unrecognized: >>>> 'header_access' >>>> 2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:41 unrecognized: >>>> 'header_access >>>> >>>> Under FreeBSD, a 'make config' shows that SQUID_STRICT_HTTP is >>>> deselected. From my reading of the make file, this means that the >>>> directive --disable-http-violations is not in effect. >>>> >>>> Will I have to recompile with --enable-http-violations to be able to >>>> use these directives? >>>> >>>> Kurt >>>> >>> Yes. >>> >>> Amos >> >> I came to that conclusion on my own, and did recompile with that >> option ('make --enable-http-violations' then 'make install', and it >> went without error) but it didn't help, as I'm getting the same error >> message. >> >> I'm sure I'm missing something, but need a clue... >> >> Kurt > > Just done a quick check of the code and it looks like those two particular > headers are not in the 'standard' set known to squid. > > From the descriptions I can find about the header I thunk we should be > adding it as known and allowing some security controls over it. > > Patch coming. What release of Squid are you using? squid-3.0.15 is what I show. Thanks for the help - I await news. Kurt
