-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17/11/2014 11:25 p.m., Steve Hill wrote: > On 04/11/14 13:59, Amos Jeffries wrote: > >>> I've just come across a web server that throws its toys out of >>> the pram when it sees a Via header in an HTTPS request, and >>> unfortunately it's quite a big one - Yahoo. See this request: >> >>> ----- GET /news/degrees-lead-best-paid-careers-141513989.html >>> HTTP/1.1 Host: uk.finance.yahoo.com Via: 1.1 >> >> That is unfortunately an invalid HTTP Via header. It is mandatory >> to contain the host field even if it contains a host alias for >> the real FQDN. If that is what is actually being transfered the >> server is right in complaining. > > It looks like I copied and pasted this wrong in my original email, > I have just retested and squid sends: Via: 1.1 iceni2.opendium.net > (squid/3.4.9) > >>> For now I have worked around it with: request_header_access >>> Via deny https request_header_access X-Forwarded-For deny https >>> But it does make me wonder if inserting the headers into bumped >>> traffic is a sensible thing to do. >> >> If you can please chek that Via header being emitted by your >> Squid when things break. And also whether your Squid is >> contacting their server on an HTTPS or HTTP port. If your Squid >> is contacting their HTTP port for un-encrypted traffic this >> redirect is competely expected. > > This is definitely occurring when contacting the server on HTTPS > with a valid Via header: > Would you mind running an experiment for me? To see what happens if Squid delivers either of these Via headers instead of its current output: Via: HTTPS/1.1 iceni2.opendium.net (squid/3.4.9) Via: TLS/1.2 iceni2.opendium.net (squid/3.4.9) Setting it with request_header_access/replace should do. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUanERAAoJELJo5wb/XPRjbX0IAIsacfWnhx0zsP8AIzjXFvIr bg1c19Hbgk2OmcxpBMA3b5cWggqPnZskUkQ/SLZphjt9z/tIbMa5Mgl0Ih7vTg5X Z9GhX+gf3YoM2WLMymWnvzCRzQ6NwZKs856TFWYtM0gV8HPRFlVyGBp8cxya4yYh rdGcp++yAC2LmvIGmELnQtXf74XyaIBw+exWwXCokHPh3MTD1CmsrD8rm1WJ2tBC JnTxT5p8QL2NcuCAQqw9uZuckG9aVUsAOOdxSO8l7rkcQnuRJZKm3ZO7y4/kYrcU XO1riDW0Ow0Xx0HAF/HMkz+pux2sPVvMeDa3JSP07sIVrcc8eaISZPXaC3n8FBQ= =Xwwe -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
