[squid-dev] Digest related question.

Eliezer Croitoru eliezer at ngtech.co.il
Wed Mar 18 20:59:16 UTC 2015


Thanks Henrik,

I have been wondering about what you have mentioned.

I am still considering couple things about Deep Response Inspection 
while it's might cost some more CPU time.

Eliezer

On 18/03/2015 10:23, Henrik Nordström wrote:
> mån 2015-03-16 klockan 04:03 +0200 skrev Eliezer Croitoru:
>
>> My main concern until now is that if squid would have the cached object
>> in a digest url form such as:
>> http://digest.squid.internal/MD5/xyz123"
>>
>> Squid would in many cases try to verify against the origin server that
>> the cached object has the same ETAG and MODIFICATION time.
>
> The Digest alone is only on the body, and says nothing about header
> authority. You need to get trusted object headers from somewhere else,
> i.e. the requested origin. Once you have the authoritative headers you
> can splice in the digest verified response body.
>
> This is in some sense similar to the header merging needed in ETag based
> variant handling on a single URL, but even more so as you must not take
> headers from one random URL and apply them to another requested URL
> without permission unless the requested URL permits this.  Violating
> this opens a range of security concerns where headers may be injected
> giving a different result than intended by the origin.
>
> Regards
> Henrik
>



More information about the squid-dev mailing list