[squid-users] RFC2616 headers in bumped requests

Steve Hill steve at opendium.com
Tue Nov 4 10:17:58 UTC 2014 

Squid (correctly) inserts Via and X-Forwarded-For headers into requests
that it is proxying.  However, in the case of encrypted traffic, the
server and client are expecting the traffic to reach the other end
as-is, since usually this could not be intercepted.  With SSL bumped
requests this is no longer true - the proxy can (and does) modify the
traffic, by inserting these headers.

So I'm asking the question: is this behavior considered desirable, or
should we be attempting to modify the request as little as possible for
compatibility reasons?

I've just come across a web server that throws its toys out of the pram
when it sees a Via header in an HTTPS request, and unfortunately it's
quite a big one - Yahoo.  See this request:

-----
GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1
Host: uk.finance.yahoo.com
Via: 1.1

HTTP/1.1 301 Moved Permanently
Date: Tue, 04 Nov 2014 09:55:40 GMT
Via: http/1.1 yts212.global.media.ir2.yahoo.com (ApacheTrafficServer [c
s f ]), http/1.1 r04.ycpi.ams.yahoo.net (ApacheTrafficServer [cMsSfW])
Server: ATS
Strict-Transport-Security: max-age=172800
Location:
https://uk.finance.yahoo.com/news/degrees-lead-best-paid-careers-141513989.html
Content-Length: 0
Age: 0
Connection: keep-alive
-----

Compare to:

-----
GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1
Host: uk.finance.yahoo.com

HTTP/1.1 200 OK
...
-----


Note that the 301 that they return when a Via header is present just
points back at the same URI, so the client never gets the object it
requested.

For now I have worked around it with:
  request_header_access Via deny https
  request_header_access X-Forwarded-For deny https
But it does make me wonder if inserting the headers into bumped traffic
is a sensible thing to do.

-- 

 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:steve at opendium.com
   Email:            steve at opendium.com
   Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
   Email:            sales at opendium.com
   Phone:            +44-1792-825748 / sip:sales at opendium.com

Support contacts:
   Email:            support at opendium.com
   Phone:            +44-1792-824568 / sip:support at opendium.com

More information about the squid-users mailing list