I think the request is http/1.1 because I captured it and it shows in the 'Hypertext Transfer Protocol' in the POST section, the field 'Request version' is HTTP/1.1 I understand Squid 2.7 is not able to understand http/1.1, but I ask myself if 'content-length' field was missing in the http/1.1 request and Squid was compliant to http/1.1( squid 3.x version ) , what Squid would return 'DENIED/411' again? >----Messaggio originale---- >Da: squid3@xxxxxxxxxxxxx >Data: 8-nov-2014 12.38 >A: >Ogg: Re: TCP_DENIED/411 > >----- BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 8/11/2014 9:05 p.m., Riccardo Castellani wrote: >> Squid (we are using 2.7 version) checks inside http request to >> verify message is compliant to rfc but I ask myself if there is way >> to stop this check for specific site/client, al least temporarily… >> to exclude firewall problems too. >> > >Don't, just don't. Seriously. > >The proxy gets screwed over: >https://www.owasp.org/index.php/Improper_Data_Validation> >Then the origin server risks getting screwed over: >https://www.owasp.org/index.php/Cross-User_Defacement>https://www.owasp.org/index.php/Improper_Data_Validation > >Being a POST the application itself riks getting screwed over with >infinite-length input: >https://www.owasp.org/index.php/Improper_Data_Validation>https://www.owasp.org/index.php/Process_Control >https://www.owasp.org/index.php/Unsafe_Reflection> >And then side effects can echo right back out to the proxy to trigger >further rounds of nastiness at random times in the future: >https://www.owasp.org/index.php/HTTP_Response_Splitting>https://www.owasp.org/index.php/Cross-User_Defacement >https://www.owasp.org/index.php/Cache_Poisoning> > >The 411 respone is telling you that the client sending the proxy a >request message is broken. Many of the above attack side effects could >be happening in other software already as a result of this client >Squid caught out. It really, really needs to be fixed ASAP. > > >Now, there is a small posibility that the client is using HTTP/1.1 >Transfer-Encoding Squid-2.7 does not understand. The first fix for >that is to upgrade to a HTTP/1.1 compliant Squid (which 2.7 is *not*). > >Amos >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v2.0.22 (MingW32) > >iQEcBAEBAgAGBQJUXgDAAAoJELJo5wb/XPRjNZ0IANsinW8QFF8ssHA9SeepEBf3 >4T/219SAC7GvpTJsBkVC3pQiMxNvngwC6gS3ssTpzcFjWJUi0LI25BAvV7KjuyHk >rpdQN0U2jAblAFthzFtX9xZHbkBF6pwbMNTLH+zB0imWMnZ8TdGpvjYU4onrh/DD >pYxgZOqF8ThRIqaB5kjowCC+VO1wmAOa2TsUfTGDRks29wK8yAva2bmhpQrFOEFN >En1iXuxcCSAhPkBMNM6a4a+h+zgPJkhKL4c0IXJ9I6BnAuJ0VxD8PA6eJTiTcIkK >V2Lzp2acOLINoMw2HpYiKfn0+HuWRLNedOST4rFqP0YEENkYIqbCgQ/+4fTIZZU= >=+k8q >----- END PGP SIGNATURE----- >_______________________________________________ >squid- users mailing list >squid-users@xxxxxxxxxxxxxxxxxxxxx >http://lists.squid-cache.org/listinfo/squid-users> _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
