Header Access Problem

"A. W." <vac2012@xxxxxxxxxxxxxxxxxx> · Tue, 27 Nov 2012 16:44:03 +0100

Hello all,

it's my first post here - hope i do everything right.

my constellation:

Squid 2.7 Stable 8 and also tried with a 3 Version
OS Windows 2000/XP tried both
My Problem is version and OS independent

my problem:

Try to remove a existing http header from a response fom the Ebay 
Server. it's a advertising cookie.

to my understanding the ACL keyword rep_header is used for ACL's

1. Try

add the following (Version 2.7):

acl cebay rep_header Set-Cookie ebay
header_access Set-Cookie deny cebay

the logfile show the following:

2012/11/27 16:02:20| aclMatchIp: '192.168.178.11' found
2012/11/27 16:02:20| aclMatchAclList: returning 1
2012/11/27 16:02:20| aclCheck: match found, returning 1
2012/11/27 16:02:20| aclCheckCallback: answer=1
2012/11/27 16:02:20| The request GET http://www.ebay.de is ALLOWED, 
because it matched 'localnet'
2012/11/27 16:02:20| aclMatchAclList: checking cebay
2012/11/27 16:02:20| aclMatchAcl: checking 'acl cebay rep_header 
Set-Cookie ebay'
2012/11/27 16:02:20| aclMatchAclList: no match, returning 0
2012/11/27 16:02:20| aclMatchAclList: checking cebay
2012/11/27 16:02:20| aclMatchAcl: checking 'acl cebay rep_header 
Set-Cookie ebay'
2012/11/27 16:02:20| aclMatchAclList: no match, returning 0
2012/11/27 16:02:20| aclMatchAclList: checking cebay
2012/11/27 16:02:20| aclMatchAcl: checking 'acl cebay rep_header 
Set-Cookie ebay'
2012/11/27 16:02:20| aclMatchAclList: no match, returning 0
2012/11/27 16:02:20| aclMatchAclList: checking cebay
2012/11/27 16:02:20| aclMatchAcl: checking 'acl cebay rep_header 
Set-Cookie ebay'
2012/11/27 16:02:20| aclMatchAclList: no match, returning 0
2012/11/27 16:02:20| aclMatchAclList: checking cebay
2012/11/27 16:02:20| aclMatchAcl: checking 'acl cebay rep_header 
Set-Cookie ebay'
2012/11/27 16:02:20| aclMatchAclList: no match, returning 0
2012/11/27 16:02:20| aclMatchAclList: checking all
2012/11/27 16:02:20| aclMatchAcl: checking 'acl all src all'
2012/11/27 16:02:20| aclMatchIp: '192.168.178.11' found
2012/11/27 16:02:20| aclMatchAclList: returning 1
2012/11/27 16:02:20| aclCheck: checking 'http_reply_access allow all'
2012/11/27 16:02:20| aclMatchAclList: checking all
2012/11/27 16:02:20| aclMatchAcl: checking 'acl all src all'
2012/11/27 16:02:20| aclMatchIp: '192.168.178.11' found
2012/11/27 16:02:20| aclMatchAclList: returning 1
2012/11/27 16:02:20| aclCheck: match found, returning 1
2012/11/27 16:02:20| aclCheckCallback: answer=1
2012/11/27 16:02:20| The reply for GET http://www.ebay.de/ is ALLOWED, 
because it matched 'all'

the acl cebay is checked 5 times, because of the presence of 5 
Set-Cookie Header in the reply of the Ebay Server.

but non off this has a match.

The first of the Set-Cookie is always ebay and should give a match.

if i debug the program with Windb i found out, that Sub aclMatchAclList 
calls the function aclMatchAcl

then here it return with 0, so checklist->reply seems to be false...

case ACL_REP_HEADER:
	if (!checklist->reply)
	    return 0;
	return aclMatchHeader(ae->data, &checklist->reply->header);

dont't understand realy, that reply is empty - because it sees the 
header also (5 times Set-Cookie)

am i wrong or is ther a bug.

in Squid 3 the following error is showed: "ACL is used but there is no 
HTTP reply"

2. Try

added the following:

acl cebay rep_header Set-Cookie ebay
http_reply_access deny cebay

this work like i expected - get a access deny becaus of the existence of 
the Set-Cookie ebay=....

when i change the acl to:
acl cebay rep_header Set-Cookie nonsession
or
acl cebay rep_header Set-Cookie dp1

access isn't denied although there is a Set-Cookie nonsession=... or 
Set-Cookie dp1=...

seem like it just checks the first presence of the Set-Cookie Header Value.

Shouldn't it look for all headers?

Would appricate any help for a solution for my wish to remove a existing 
Set-Cookie response.

Andreas