Damn, that is f'ed up. And it is a huge Danish site used by almost every single company in Denmark. Thank you for your breakdown of the problem Cheers, Brian 2012/2/4 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 2/02/2012 10:27 p.m., Per Jessen wrote: >> >> Brian Andersen wrote: >> >>> Hi I have squid running on a ubuntu server with shorewall. I am using >>> the default squid config files and I have only blocked one site (which >>> isn't virk.dk). All sites works perfectly, except http://virk.dk If I >>> do not redirect my traffic through Squid it works perfectly >>> >>> Can any here please check that site (it is a public company site in >>> Denmark), and maybe enlighten me on what settings I have to change to >>> get it to work. >> >> It doesn't work here either - to start with, I've blacklisted it: >> >> acl virkdk dstdomain .virk.dk >> cache deny virkdk >> >> I'm not sure if that works, I'm pretty certain I see this message in the >> log on every first attempt to access http://virk.dk: >> >> Invalid chunk header '#037213#010' >> > > Aha. That would be one of the problem. > > I've just run a few tests. > > The server seems to be very broken. > > When HTTP/1.1 clients send it an invalid request (missing Host) it works > fine. WTF? > > When HTTP/1.1 clients send it a valid a request it responds with > Transfer-Encoding headers stating that the response is chunked encoded twice > (two layers to decode). > BUT... the response is only chunked once. > > When HTTP/1.0 clients send it any request it still responds with > Transfer-Encoding headers. > * Only one encoding is indicated, BUT HTTP/1.0 clients do not support > chunked encoding and MUST NOT be sent such headers. > * On top of that mess, the body is not actually encoded. > > > 'GET /cms/render/live/da/sites/virk/home.html HTTP/1.0 > Host: virk.dk > User-Agent: squidclient/3.3 > Accept: */* > Connection: close > > ' > Resolving... virk.dk > Connecting... virk.dk(213.174.73.30) > Connected to: virk.dk (213.174.73.30) > HTTP/1.1 200 OK > Set-Cookie: JSESSIONID=E2059352BD9CAA154835BE95F9597AF2; Path=/; HttpOnly > Server: Apache-Coyote/1.1 > Expires: Wed, 09 May 1979 05:30:00 GMT > Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate, > max-age=0 > Pragma: no-cache > Transfer-Encoding: chunked <--- Problem #1: HTTP/1.0 client getting > chunked header. > Vary: Accept-Encoding > Date: Sat, 04 Feb 2012 00:46:04 GMT > P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" > Content-Type: text/html;charset=UTF-8 > Connection: close > > <--- Problem #2: no chunked encoding. > <!DOCTYPE html PUBLIC ... > ... > > > > 'GET /cms/render/live/da/sites/virk/home.html HTTP/1.1 > Host: virk.dk > User-Agent: squidclient/3.3 > Accept: */* > Connection: close > > ' > Resolving... virk.dk > Connecting... virk.dk(213.174.73.30) > Connected to: virk.dk (213.174.73.30) > HTTP/1.1 200 OK > Set-Cookie: JSESSIONID=53C47E3818BC600A142F935214BB8CCA; Path=/; HttpOnly > Server: Apache-Coyote/1.1 > Expires: Wed, 09 May 1979 05:30:00 GMT > Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate, > max-age=0 > Pragma: no-cache > Transfer-Encoding: chunked <--- NOTE: first encoding: the body is encoded > using chunked > Vary: Accept-Encoding > Date: Sat, 04 Feb 2012 00:59:54 GMT > P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked <--- NOTE: second encoding: output of the first > encoding is encoded using chunked. > <-- Problem #3: RFC 2616 requires that chunked MUST NOT have another > encoding applied on top of it (it must be the last encoding). First encoding > was chunked. > Connection: close > > 2000 <--- NOTE: this is what chunked encoding looks like in HTTP/1.1 > <--- Problem #4: the inner layer of chunking does not exist > <!DOCTYPE html PUBLIC ... > ... > > Amos
