On 04/11/14 13:59, Amos Jeffries wrote: >> I've just come across a web server that throws its toys out of the >> pram when it sees a Via header in an HTTPS request, and >> unfortunately it's quite a big one - Yahoo. See this request: > >> ----- GET /news/degrees-lead-best-paid-careers-141513989.html >> HTTP/1.1 Host: uk.finance.yahoo.com Via: 1.1 > > That is unfortunately an invalid HTTP Via header. It is mandatory to > contain the host field even if it contains a host alias for the real > FQDN. If that is what is actually being transfered the server is right > in complaining. It looks like I copied and pasted this wrong in my original email, I have just retested and squid sends: Via: 1.1 iceni2.opendium.net (squid/3.4.9) >> For now I have worked around it with: request_header_access Via >> deny https request_header_access X-Forwarded-For deny https But it >> does make me wonder if inserting the headers into bumped traffic is >> a sensible thing to do. > > If you can please chek that Via header being emitted by your Squid > when things break. And also whether your Squid is contacting their > server on an HTTPS or HTTP port. > If your Squid is contacting their HTTP port for un-encrypted traffic > this redirect is competely expected. This is definitely occurring when contacting the server on HTTPS with a valid Via header: $ openssl s_client -connect uk.finance.yahoo.com:443 -servername uk.finance.yahoo.com CONNECTED(00000003) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3 verify return:1 depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., CN = www.yahoo.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./CN=www.yahoo.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- [certificate removed] --- GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1 Host: uk.finance.yahoo.com Via: 1.1 iceni2.opendium.net (squid/3.4.9) HTTP/1.1 301 Moved Permanently Date: Mon, 17 Nov 2014 10:20:57 GMT Via: http/1.1 yts272.global.media.ir2.yahoo.com (ApacheTrafficServer [c s f ]), http/1.1 r15.ycpi.dee.yahoo.net (ApacheTrafficServer [cMsSfW]) Server: ATS Strict-Transport-Security: max-age=172800 Location: https://uk.finance.yahoo.com/news/degrees-lead-best-paid-careers-141513989.html Content-Length: 0 Age: 0 Connection: keep-alive -- - Steve -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
