On 04/27/2011 06:16 PM, Amos Jeffries wrote: > On Wed, 27 Apr 2011 12:04:23 -0500, Sam Klinger wrote: >> Steps to reproduce: >> 1. Go to >> >> http://sourceforge.net/projects/sarg/files/sarg/sarg-2.3.1/sarg-2.3.1.tar.gz/download >> >> 2. Attempt to download >> 3. Squid will display error page saying "The requested URL could not be >> retrieved" and "The HTTP Response message received from the contacted >> server could not be understood or was otherwise malformed. Please >> contact the site operator." >> >> >> cache.log contains the error below: >> 2011/04/27 11:53:25| WARNING: HTTP: Invalid Response: Bad header >> encountered from >> >> http://downloads.sourceforge.net/project/sarg/sarg/sarg-2.3.1/sarg-2.3.1.tar.gz?r=&ts=1303923196&use_mirror=cdnetworks-us-1 >> >> AKA >> >> downloads.sourceforge.net/project/sarg/sarg/sarg-2.3.1/sarg-2.3.1.tar.gz?r=&ts=1303923196&use_mirror=cdnetworks-us-1 >> >> 2011/04/27 11:53:25| ctx: enter level 0: >> >> 'http://downloads.sourceforge.net/project/sarg/sarg/sarg-2.3.1/sarg-2.3.1.tar.gz?r=&ts=1303923196&use_mirror=cdnetworks-us-1' >> >> 2011/04/27 11:53:25| WARNING: HTTP header contains NULL characters >> {Access-Control-Allow-Origin: * >> X-Powered-By: PHP/5.2.9 >> Content-Disposition: attachment; filename="sarg-2.3.1.tar.gz} >> NULL >> {Access-Control-Allow-Origin: * >> X-Powered-By: PHP/5.2.9 >> Content-Disposition: attachment; filename="sarg-2.3.1.tar.gz >> 2011/04/27 11:53:25| ctx: exit level 0 >> >> Here is a squid -v >> Squid Cache: Version 3.1.12.1 >> configure options: 'CHOST=i686-pc-linux-gnu' 'CFLAGS=-march=prescott >> -O2 -pipe -fomit-frame-pointer' 'CXXFLAGS=' '--prefix=/usr' >> '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' >> '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3' >> '--disable-maintainer-mode' '--disable-dependency-tracking' >> '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid3' >> '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' >> '--enable-async-io=8' '--with-cppunit-basedir=/usr' >> '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=heap' >> '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' >> '--enable-underscore' '--enable-follow-x-forwarded-for' >> '--enable-auth=basic,digest,ntlm,negotiate' >> >> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,YP,getpwnam,multi-domain-NTLM' >> >> '--enable-digest-auth-helpers=ldap,password' >> '--enable-negotiate-auth-helpers=squid_kerb_auth' >> >> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' >> >> '--enable-snmp' '--enable-epoll' >> '--with-large-files--with-filedescriptors=65536' '--enable-arp-acl' >> '--enable-zph-qos' '--enable-esi' '--with-logdir=/var/log/squid3' >> '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' >> '--with-large-files' '--enable-linux-netfilter' >> '--with-default-user=proxy' --with-squid=/opt/squid-3.1.12.1 >> >> Sourceforge is not the only website that does it, not all websites do >> it, but some. So far all affected websites have been affected in the >> header line "Content-Disposition". >> >> I also have wireshark captures from a machine running outside squid >> and one running inside. Any help with this issue would be appreciated. >> Thank you. > > Squid is doing all that is possible to be done in these circumstances. > The HTTP headers are sent with a binary connection terminator (NULL) > right in the middle of an ASCII-only portion of the protocol. > > The cache.log trace shows a full trace of the header block with " NULL " > in the middle where the NULL is occuring. Do not be fooled by the > duplicate nature of headers in that trace. That is actually what squid > has received: > > Access-Control-Allow-Origin: *\r\n > X-Powered-By: PHP/5.2.9\r\n > Content-Disposition: attachment; filename="sarg-2.3.1.tar.gz\0 > Access-Control-Allow-Origin: *\r\n > X-Powered-By: PHP/5.2.9\r\n > Content-Disposition: attachment; filename="sarg-2.3.1.tar.gz\0 > > > Normally one needed only to report it to the source website that their > server or script is broken. Nowdays you may also have to trace the whole > relay path looking for broken content adapters. > > Amos > Thank you for your help Amos, and your hunch was correct about broken content adapters, after extensive searching I found that the issue was with our IBM Proventia firewall mangling the headers. I have yet to find a workaround or fix for the issue. Relevant mailing list thread. http://www.squid-cache.org/mail-archive/squid-users/200904/0562.html
