Kurt Buff wrote:
On Thu, May 14, 2009 at 21:56, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Kurt Buff wrote:
On Wed, May 13, 2009 at 18:18, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On Tue, May 12, 2009 at 17:09, Chris Robertson <crobertson@xxxxxxx>
wrote:
Kurt Buff wrote:
All,
My user population is having frequent problems fetching PDFs through
our squid proxy, and I think I've narrowed down the issue, though I'm
not 100% certain of it.
I see two deny messages from our Sidewinder firewall, that are
associated with the URLs regarding request headers for the PDFs:
  "Request denied with request header Unless-Modified-Since."
and
  "Request denied with request header Translate."
Is there a way to cause squid to ignore these request headers from the
browsers,
http://www.squid-cache.org/Doc/config/header_access/
 or to replace them with something benign?
http://www.squid-cache.org/Doc/config/header_replace/
 Is it reasonable
to do so, or will that just cause further issues?
There, I can't help. Â I'd suggest contacting support for the Firewall,
and
get the problem solved (or at least identified) there.
Any help and thoughts appreciated.
Kurt
Chris
Unfortunately, adding the two directives:
header_access Unless-Modified-Since deny all
header_access Translate deny all
Generates the following errors at start and stop of squid:
2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:40 unrecognized:
'header_access'
2009/05/13 11:42:57| cache_cf.cc(346) squid.conf:41 unrecognized:
'header_access
Under FreeBSD, a 'make config' shows that SQUID_STRICT_HTTP is
deselected. From my reading of the make file, this means that the
directive --disable-http-violations is not in effect.
Will I have to recompile with --enable-http-violations to be able to
use these directives?
Kurt
Yes.
Amos
I came to that conclusion on my own, and did recompile with that
option ('make --enable-http-violations' then 'make install', and it
went without error) but it didn't help, as I'm getting the same error
message.
I'm sure I'm missing something, but need a clue...
Kurt
Just done a quick check of the code and it looks like those two particular
headers are not in the 'standard' set known to squid.
From the descriptions I can find about the header I thunk we should be
adding it as known and allowing some security controls over it.
Patch coming. What release of Squid are you using?
squid-3.0.15 is what I show.
Thanks for the help - I await news.
Kurt
Please find attached a patch for 3.0 that adds the headers so
header_access can remove them.
This should apply with -p0, or if not on your version on the current
snapshots.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
=== modified file 'src/HttpHeader.cc'
--- src/HttpHeader.cc 2009-04-14 15:38:39 +0000
+++ src/HttpHeader.cc 2009-05-17 07:21:19 +0000
@@ -124,7 +124,9 @@
{"Title", HDR_TITLE, ftStr},
{"Trailers", HDR_TRAILERS, ftStr},
{"Transfer-Encoding", HDR_TRANSFER_ENCODING, ftStr},
+ {"Translate", HDR_TRANSLATE, ftSTr}, /* for now. may need to crop */
{"Upgrade", HDR_UPGRADE, ftStr}, /* for now */
+ {"Unless-Modified-Since", HDR_UNLESS_MODIFIED_SINCE, ftStr}, /* for now ignore. may need to crop */
{"User-Agent", HDR_USER_AGENT, ftStr},
{"Vary", HDR_VARY, ftStr}, /* for now */
{"Via", HDR_VIA, ftStr}, /* for now */
=== modified file 'src/HttpHeader.h'
--- src/HttpHeader.h 2009-04-10 07:49:36 +0000
+++ src/HttpHeader.h 2009-05-17 07:19:47 +0000
@@ -98,7 +98,9 @@
HDR_TITLE,
HDR_TRAILERS,
HDR_TRANSFER_ENCODING,
+ HDR_TRANSLATE, /* IIS custom header we may need to cut off */
HDR_UPGRADE,
+ HDR_UNLESS_MODIFIED_SINCE, /* IIS custom header we may need to cut off */
HDR_USER_AGENT,
HDR_VARY,
HDR_VIA,
