On Tue, Mar 16, 2010 at 09:46:44PM +0000, Amos Jeffries wrote: > On Tue, 16 Mar 2010 14:06:59 +0000, Graham Keeling <graham@xxxxxxxxxxxx> > wrote: > > Hello, > > > > In older versions of squid, I was able to block or allow specific > arbitrary > > request headers. For example: > > > > header_access X-SomeRandomHeaderA allow all > > header_access X-SomeRandomHeaderB deny all > > > > In squid-3.1 (and 3.0, I think), the equivalent of header_access for > > request > > headers is now request_header_access. > > > > But if I try this, squid gets upset and doesn't start: > > request_header_access X-SomeRandomHeaderA allow all > > "allow all" is the default. You can ignore those settings. > > > request_header_access X-SomeRandomHeaderB deny all > > > > It says: > > 2010/03/16 13:55:19| parse_http_header_access: unknown header name > > 'X-SomeRandomHeaderA' > > > > So, it seems that you can only add headers that squid knows about > > internally. > > Which is what this page says: > > http://www.squid-cache.org/Doc/config/request_header_access/ > > > > You can only specify known headers for the header name. > > Other headers are reclassified as 'Other'. You can also > > refer to all the headers with 'All'. > > > > I could use 'Other', but it means that I have to treat all unknown > headers > > in the same way. Unless I'm missing something. > > > > > > So, can anybody tell me how to block or allow specific arbitrary request > > headers in squid-3.1? > > > > Not possible in Squid-3. Removing random headers is a violation of HTTP > protocol and can seriously break things when not understood. > > If you can present to us some information about these special headers that > shows they are in fact deserving of stripping, we can add them. Thanks for your reply. What I am doing is using a url/content filter in front of squid. I have the filter listening on two ports. One port is for filtering with authentication. One port is for filtering without authentication. The filter adds a header that says which port a request came in on. I then have a squid acl rule that matches the port in this header, which turns on authentication in squid. But, I don't want squid to then forward my new header out to the web server. And I don't want to use 'Other' to block it, as that will block application X and its proprietory headers. > There is always the eCAP/ICAP filtering add-on interface now available for > local control. > > > Rant: I for one got tired of handling complaints because application X > would not work through Squid when the admin stripped away all it's > proprietary headers. > > > Amos
